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* Chapter 10, "Best Practices and Common Questions," on page 71 

* Chapter 11, "Limitations for CIS," on page 77 

* Appendix A, "Configuration and Log Files," on page 79 

* Appendix B, "Installing and Configuring MariaDB," on page 81 

* Appendix C, "Creating Certificates," on page 83 


Audience 


This guide is intended for storage services administrators. 


Feedback 


We want to hear your comments and suggestions about this manual and the other documentation 
included with this product. Please use the comment on this topic link at the bottom of each page of 
the online documentation. 


Additional Documentation 


For documentation on other OES guides, see the OES 2018 SP2 Documentation web site (https:// 
www.novell.com/documentation/open-enterprise-server-2018/). 
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Overview of Cloud Integrated Storage 


Cloud Integrated Storage (CIS) is a hybrid cloud solution that provides a secure gateway to store, 
manage, and access data across private or public cloud. 

* Section 1.1, "Understanding Cloud Integrated Storage," on page 9 

* Section 1.2, "Benefits of Cloud Integrated Storage," on page 11 

* Section 1.3, "CIS Architecture Overview," on page 12 

* Section 1.4, "CIS Components," on page 12 

* Section 1.5, "Services and Components Used by CIS," on page 14 

* Section 1.6, "Management Tools," on page 15 


* Section 1.7, "What's Next," on page 15 


Understanding Cloud Integrated Storage 


A lot of our OES customers deal with huge storage (greater than TB) of data that is stored in the OES 
servers. As time grows, the data keeps increasing adding to the storage and maintenance cost. In the 
past few years, an object store or cloud has become very popular as a storage solution as it provides 
scalable storage and deployment with the total cost of ownership often being much less. 


As the enterprise data continues to grow, the cold or inactive data keeps increasing and fills up the 
primary or expensive storage. This results in less space for hot or active data. Instead, you can move 
the cold data to cloud storage using pre-defined policies. 


Keeping this in mind, we asked ourself how can we help our users take advantage of the benefits of 
an object store or cloud storage through OES and decided to offer a solution called Cloud Integrated 
Storage (CIS). CIS allows you to move and provision the enterprise data from the OES servers to 
object store or cloud storage by using pre-defined policies. 
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The three main objectives of CIS are: 
* Analyze: A single view of data available across your organization. CIS performs adaptive 
scanning of the data on the OES servers and provides meaningful information such as: 
* Percentage of hot and cold data available based on the access time and modified time 
* Volumes with more cold data 


* Top file types available as part of cold data 


This information helps you to decide on how to manage the data effectively. 


* Migrate: Based on your organizational needs, CIS helps you to create rich policies to decide 
what kind of data to be migrated. It offloads the cold data from highly expensive storage to 
much cheaper cloud storage while users still continue to seamlessly access the files. 


* Report: Provides a rich dashboard to view the trends around the data movement. Generate 
reports on data migration and recall and also provides a graphical representation of the same 
for better understanding. You get to explicitly see how the data is moving within your 
organization. 


Use the CIS Management console to perform the following major tasks: 


* Configure your server 

* Configure cloud account, policies, and tiers 

* Create and manage roles for other users 

* Configure CIS and agents settings 
* Monitor and manage your server's health 

* Overall status of the server 

* Monitor the status of individual services in the CIS server 
* Data migration solution for DST volumes 


* Securely transfer the data to the cloud using AES encryption 
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1.2.1 


1.2.2 


1.2.3 


1.2.4 


Cloud Integrated Storage is a network service that manages the data intelligently and reduces the 
total cost of ownership while improving flexibility. 


The following video provides an introduction to Cloud Integrated Storage (CIS): 


ini http://www.youtube.com/watch?v=6x9fdjlzFf4 


Benefits of Cloud Integrated Storage 


Cloud Integrated Storage has the following benefits: 


* Section 1.2.1, "Reduce Total Cost of Ownership," on page 11 
* Section 1.2.2, “Transparent File Access for End Users," on page 11 
* Section 1.2.3, "Data Availability on Access," on page 11 


* Section 1.2.4, "Policy-Based Migration," on page 11 


Reduce Total Cost of Ownership 


The active data (hot data) or frequently accessed data is stored on fast and high quality storage. The 
less accessed data (cold data) is placed on a cloud storage with relatively slower access. CIS policies 


helps you to partition the files based on last accessed time, size, type, name, and so on. You can 
move the less active data (cold data) from a higher performance storage to a lower performance 
storage, thus reserving the expensive storage for active data (hot data). 


Transparent File Access for End Users 


Users can seamlessly access the files through CIFS protocol. The user maps to the same logical path 
and is not aware of the physical location of the file. This allows the administrator to manage the data 


without disrupting the user's view of the files. The files that are moved to cloud are represented 
with crossmark (x) symbol in Windows client and indicate that the files are in a offline state. 


Data Availability on Access 


After moving the data to cloud, you still have access to the data. The access to the data available in 
the cloud storage is through secondary volumes called Cloud Backed Volumes (CBV). The CBV 
contains the metadata information of the data available in the cloud. When the data is accessed, 
they are brought back to the OES server. 


Policy-Based Migration 
Administrator can set policies to migrate the data from the primary volume to the cloud storage 


depending on the last accessed time, modified time, file type, size, and so on. To migrate the data, 
the policy can be run manually or automatically based on the scheduled time. 
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13 CIS Architecture Overview 


Figure 1-1 CIS Components Overview 
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For detailed information about CIS and its infrastructure components, see Section 1.4, "CIS 


Components," on page 12. 


1.4 CIS Components 


The following are the main components of Cloud Integrated Storage: 


* Section 1.4.1, "Server," on page 13 


* Section 1.4.2, "Clients," on page 14 
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Server 


The CIS server requires multiple services to perform the overall operation. These services are built 
based on the concept of microservices. Microservices are a suite of independently deployable, small, 
modular services in which each service runs a unique process and communicates through a well- 
defined, lightweight mechanism to serve a business goal. All microservices run as an individual 
dockerized images. 


The following are eleven microservices available for Cloud Integrated Storage: 


* Authentication: Authenticates the agent and user. Also, facilitates token creation. The 
authentication service name is cis-auth. 


* Data: Used for migration, recall, and communication of data with the target cloud. The data 
service name is cis-data. 


* Metadata: Provides the capability to migrate, recall and maintain the metadata. The metadata 
service name is cis-metadata. 


* Policy: It deals with the policies, agents, jobs, tiers, and schedule operation. The policy service 
name is cis-policy. 


* Management: Handles all the management operations such as CIS account configuration, 
policy creation, tier configuration, assigning roles for other users, CIS server, and agent settings. 
The management service name is cis-mgmt. 


* Collector and Aggregator: Obtains the metadata information from the OES servers and 
performs calculations on the overall data and provides a meaningful information (hot and cold 
data) for the administrator. The collector and aggregator service names are cis-collector 
and cis-aggregator. 


* Collector and Aggregator for Reporting: Obtains the information of files migrated to the cloud, 
files recalled from the cloud and then perform calculations on the overall migrated and recalled 
data and provides meaningful information. The collector and aggregator service names for 
reporting are cis-repcollector and cis-repaggregator. 


* Gateway: It is the entry point to all services of CIS. It receives request from the OES servers and 
users and redirects it to the respective services. The gateway service name is cis-gateway. 


* Fluent Bit: It is the logging framework used to collect the log information of all the CIS services 
at a common location. The logging service name is cis-fluentbit. The CIS services log 
information is located at /var/opt/novell/log/cis/microservices. Different log levels 
can be set for all the CIS services. 





All these microservices communicate through the following default ports: 


+ 8343: All requests from the OES server comes through this port. 


+ 8344: All management operations are performed through this port. 
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1.4.2 Clients 


The OES server acts as a client to the CIS server. The components that are available on the client side 
are as follows: 


* CIS Agent: Acts as a client to the CIS server. It performs the major operations such as volume 
listing, tier configuration, and so on. The CBV contains the metadata information of files that 
are migrated to the cloud. By default, agent communicates through port 8000. The CIS agent 
name is cis-agent.service. 


* CIS Recall Agent: Helps in recalling the data. When a request comes from a user for a specific 
file, the recall agent sends a request to the CIS server to retrieve the data from the cloud by 
using the metadata information. The CIS recall agent name is cis-recall-agent.service. 


* CIS Scanner: Scans the metadata on the NSS volumes of the OES server and sends it to CIS 
server. The CIS scanner name is cis-scanner.service. 


1.5 Services and Components Used by CIS 


The services and components in this section are used by CIS. 


* Section 1.5.1, "Infrastructure Services," on page 14 


* Section 1.5.2, "Database," on page 15 


15.1 Infrastructure Services 


CIS infrastructure services includes the following: 


* "Elasticsearch (Indexing)" on page 14 
+ “ZooKeeper (Configuration Store)" on page 14 


+ "Kafka (Messaging)" on page 15 
Elasticsearch (Indexing) 


CIS uses Elasticsearch for the following benefits: 


* Stores indexes and provides the capability for text search that enables faster discovery and 
deliver of relevant data. 


* Analyze and aggregate the metadata obtained from the respective OES servers and enables CIS 
to query the information faster. 


ZooKeeper (Configuration Store) 


CIS uses ZooKeeper service for maintaining the configuration information. 
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1.5.2 


1.6 


1.7 


Kafka (Messaging) 


CIS uses Kafka for the following benefits: 


* Good solution for large scale message processing applications. 


* Asynchronous communication across services and to report event processing. 


Database 


CIS supports MariaDB and MS SQL database to store and retrieve the information. For example, OES 
server information, cloud information, CIS service related information, and information about the 
migrated data. 


Management Tools 


Cloud Integrated Storage policies, tiers, roles, agent settings, and cloud account configuration is 
managed in the CIS management console. For more information about using CIS management 
console, see Section 6.1, "Managing CIS," on page 41. 


What's Next 


For information about planning your CIS solution, see Chapter 3, "Planning Your Cloud Integrated 
Storage Server Environment," on page 19. 


For information about installing and configuring CIS, see Chapter 4, "Installing and Configuring Cloud 
Integrated Storage (CIS)," on page 21. 
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2.1 


2.2 


2.3 


What's New or Changed in CIS 


This section describes enhancements and changes in Cloud Integrated Storage since the Open 
Enterprise Server (OES) 2018 SP2. 


* Section 2.1, “What's New or Changed in CIS Update 8 - OES 2018 SP2,” on page 17 
* Section 2.2, "What's New or Changed in Update 2 - OES 2018 SP2,” on page 17 

+ Section 2.3, "What's New or Changed in Update 1 - OES 2018 SP2,” on page 17 

* Section 2.4, "What's New or Changed in CIS (OES 2018 SP2),” on page 18 


What's New or Changed in CIS Update 8 - OES 2018 SP2 


CIS Client 


+ CIS Client for Windows: The CIS client is upgraded to version 1.0.5 and includes changes to 
icons. 


¢ CIS Client for MAC: The CIS client is upgraded to version 1.1.1 and includes changes to icons. 


Elasticsearch 


Security vulnerabilities are fixed for Elasticsearch. You must perform additional steps on applying the 
patch. For more information, see Section 4.3, "Patching OES 2018 SP2 Update 8," on page 35. 


What's New or Changed in Update 2 - OES 2018 SP2 


Customer Bug Fixes: Many of these improvements are made in direct response to suggestions and 
issues raised by our customers. 


What's New or Changed in Update 1 - OES 2018 SP2 


* Symbolic Link Changes: The symbolic links to the following files stored on /media/nss/ 
<VOLUMENAME> or / root (local node) are modified as: 














* Configuration Files: Symbolic link modified to /etc/opt/novell/cis. 
* LogFiles: Symbolic link modified to /var/opt/novell/log/cis. 


+ Performance and Scale Improvements: Enhancements are made so that the CIS scanner scales 
efficiently for a large number of files. 


* 3rd Party CA Certificate Support: CIS provides better support for handling intermediate CA 
certificates. 
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2.4 


What's New or Changed in CIS (OES 2018 SP2) 


CIS provides the following enhancements and changes in OES 2018 SP2: 


CIS Client (New) 


On Mac OS X, when you use List view, Column view, or Gallery view options in Finder to preview the 
files that are uploaded to the cloud, the files get downloaded from the cloud. This unwanted 
download of files fills up your local storage. To avoid this, Open Enterprise Server CIFS provides a 
feature that can be enabled by using the novci £s utility. Enabling this feature with the CIS client on 
Mac OS X allows you to preview the files uploaded to the cloud. The following new tools are created: 


+ CIS Client for Windows: Displays the cloud overlay icon on the files uploaded to the cloud and 
also allows you to access the files uploaded to the cloud. 


¢ CIS Client for Mac: It allows you to access the files uploaded to the cloud. 


For more information, see Chapter 8, “Working with CIS Client,” on page 61. 


CIS Management Ul Enhancements 
The following options are added in the CIS management console: 
+ Top Cold Data Users: Displays the five users with the top cold data on the Insights page. For 
more information, see Section 6.1.1, “Insights,” on page 43. 


+ Schedule File Scan: Allows you to schedule a scan on a specific time. You can choose the 
following scan type in the Agents setting page: 


+ Full Scan: Performs the complete scan on OES volume. 


+ Incremental Scan: Performs the differential scan from the previous full scan on the OES 
volumes. 


For more information, see Section 6.1.7, “Agents,” on page 52. 


+ Dry Run: Added the following policy run type options to estimate the total migrate or recall 
data before the actual run. 


* Free Space Calculation 
* Recall Space Estimation 


For more information, see "Managing Cloud Tiers" on page 48. 
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3.1 


3.2 


3.3 


Planning Your Cloud Integrated Storage 
Server Environment 


This section describes the software requirements and configuration guidelines for installing and 
using Cloud Integrated Storage (CIS) on your Open Enterprise Server (OES) servers. 

* Section 3.1, “Open Enterprise Server 2018 SP2,” on page 19 

* Section 3.2, "Cloud Storage Requirements," on page 19 


* Section 3.3, "CIS Requirements," on page 19 


Open Enterprise Server 2018 SP2 


Cloud Integrated Storage runs on OES servers with 64-bit processors. For information about 
installing and configuring OES, see the OES 2018 SP2: Installation Guide. 


Cloud Storage Requirements 


CIS supports the following: 


* Amazon S3 or 


+ Object storage that is S3 compatible 


CIS Requirements 


Before you start configuring the Cloud Integrated Storage (CIS) or infrastructure services, ensure that 
the following prerequisites are met: 


* Ensure that a minimum of 16 GB of RAM is configured for CIS or infrastructure services to 
function normally. 


* The eDirectory schema for CIS must be extended so that the CIS server is successfully 
configured. If eDirectory schema is not extended for CIS, execute the cis.sch file on the OES 
server to enable the schema. For more information about how to run the script, see "CIS 
Configuration Fails With an Error" on page 69. If OES Storage Service (NSS) pattern is selected 
during installation, the eDirectory schema is automatically updated. 


* Ensure that /etc/resolv.conf is configured with the appropriate DNS entry so that the OES 
server, CIS, and its infrastructure services (Elasticsearch, ZooKeeper, and Kafka) are mutually 
resolvable. 
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+ Ensure that the database is installed and configured. For information on how to install and 
configure MariaDB, see Appendix B, "Installing and Configuring MariaDB," on page 81. If you 
want to use already configured database (MariaDB or MS SQL) with CIS, ensure that the 


database is up and running. 
* While upgrading from OES 2018 to OES 2018 SP2, ensure that the CIS pattern is not installed. 
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4.1 


4.2 


Installing and Configuring Cloud Integrated 
Storage (CIS) 


This topic describes how to install and configure CIS in different environments. 


* Section 4.1, "Installing CIS,” on page 21 

* Section 4.2, "Configuring CIS," on page 21 

* Section 4.3, "Patching OES 2018 SP2 Update 8," on page 35 
* Section 4.4, "Verifying the CIS Configuration," on page 36 

* Section 4.5, "LUM Enabling CIS User and Group," on page 37 


Installing CIS 


1 From the boot menu, select Installation and press enter, then continue with the installation as 
desired until you get to the Installation Settings page. 


For detailed instructions, see Installing OES 2018 SP2 as a New Installation in the OES 2018 SP2: 


Installation Guide. 


2 Onthe Installation Settings page, click Software to open the Software Selection and System 
Tasks page. 


3 Under Open Enterprise Server, select Cloud Integrated Storage (CIS) and continue with the 
installation process. 


The following additional services are automatically selected: 
+ NetlQ eDirectory 
+ OES Linux User Management (LUM) 
* OES Remote Manager (NRM) 
* OES Backup / Storage Management Services (SMS) 
4 Continue with Section 4.2, "Configuring CIS," on page 21. 


Configuring CIS 


The Cloud Integrated Storage (CIS) provides a console to configure CIS and its infrastructure 
components. This section covers the deployment configuration of CIS and its infrastructure 
components. 





NOTE: Before configuring CIS or infrastructure services on any server, ensure to select CIS pattern 
using the YaST configuration. 
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4.2.1 Accessing the CIS Configuration Console 


1 Point your browser to https://«OES server IP address or the host name»:8105. 


+++ 
+++ 
+++ 
+++ + + + CIS Configuration 
++++++ 





cn=admin,o=microfocus 


COLLABORATION Password 


LOGIN 


5t 


2 Specify the user name or FQDN of the eDirectory administrator in the user name, specify the 
password, then click Login. For example, cn=admin,o=acme. 


The CIS Configuration welcome page explains the configuration flow of CIS components. 


3 Review the flow, and then select the type of deployment as per your requirement. 


Cloud Integrated Storage Deployment 
Single Server Deployment 


Configure CIS as a Standalone Server 
Choose this option to configure Apache Kafka, Apache ZooKeeper, Elasticsearch, Database, and CIS services on the same server. 


Configure Infrastructure Services 
Choose this option to configure Apache Kafka, Apache ZooKeeper, and Elasticsearch in high availability (HA) mode. 


Configure CIS Services 


Choose this option to configure CIS as a single node or a cluster (Novell Cluster Service) node. 


Configure Data Scale 


Choose this option to configure CIS data service and place it near to the agent location. 


BACK NEXT 
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IMPORTANT: Before configuring the CIS, ensure that there is sufficient disk space available on 
the root file system for CIS to function properly. 





42.2 Deployment Types 


It includes the following: 


+ "Configure CIS as a Standalone Server" on page 23 
* "Configure Infrastructure Services" on page 27 
+ "Configure CIS Services" on page 28 


+ "Configure Data Scale" on page 33 


Configure CIS as a Standalone Server 


Choose this option to configure Apache Kafka, Apache ZooKeeper, Elasticsearch, database and CIS 
services on the same server. 


Prerequisites 
* Before you start with CIS configuration, ensure to meet the requirements mentioned in 
Section 3.3, "CIS Requirements," on page 19 are met. 


* Alocal database is created during CIS Standalone server configuration. Ensure that there is no 
database already configured on this server. 


Procedure 
1 Onthe CIS deployment page, select Configure CIS as a Standalone Server deployment type and 
then click Next. 
2 Configuration Location: Specify the following: 


+ Hostname / IP Address: Specify the fully qualified domain name (FQDN) or IP address of 
the server where CIS will be configured. For example, wdccisserver.labs.wdc.acme.com. 


* Configuration Path: Specify the path to store CIS configuration files and log files. By 
default, the path is set to root (/). You can modify it to /home or /media/nss/ 
VOLUMENAME depending on your requirement. 


If you are using /media/nss/CISVOL, then it is recommended to create a new volume for 
CIS. When using an existing volume, ensure that the space available is 100 GB or more. You 
must LUM enable the cisuser and cisgroup. For more information, see Section 4.5, “LUM 
Enabling CIS User and Group," on page 37. 


If /media/nss/CISVOL is a cluster volume, then you need to modify the resource to update 
the Load and Unload script with CIS service. For more information, see "Modifying the 
Load, Unload, and Monitor Scripts" on page 25. 


3 Database: Specify the following: 


Use external database: Enable this option to configure CIS with the already configured 
database server. By default, this option is disabled. 


+ If this option is disabled, specify the MariaDB password to configure the local database. 
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+ If this option is enabled, specify the following: 
1. Select either MariaDB or MS SQL database. 


2. Specify the database host name or IP address and port. By default, the database port 
for MariaDB is 3306 and MS SQL is 1433. 


3. Specify the user name and password for the database. 


4. Use secure connection: Enables or disables the database connection to be secure. By 
default, this option is disabled. 


If MariaDB database is selected, ensure to meet the following prerequisites before 
proceeding in the GUI: 


a. Ensure to copy MariaDB client certificates to the CIS server at /etc/opt/ 
novell/cis/db/certs. 


b. In the MySQL configuration file (/etc/my.cnf) under the [mysqld] section, 
update the following paths: 


[mysqld] 

ssl=1 

ssl-ca=/etc/opt/novell/cis/db/certs/ca-cert.pem 
ssl-cert=/etc/opt/novell/cis/db/certs/client-cert.pem 
ssl-key=/etc/opt/novell/cis/db/certs/client-key.pem 


* Client CA Certificate file path: Specify the path of client Certificate Authority (CA) 
file in .pem format. 


+ Client Certificate file path: Specify the path of the client certificate file in .pem 
format. 


* Client Key file path: Specify the path of the key file associated with the client 
certificate in .pem format. 


4 Infrastructure Server: Specify the following: 
* ZooKeeper: By default, it is configured with the CIS server IP and ZooKeeper port is 2181. 


* Elasticsearch: By default, it is configured with the CIS server IP and Elasticsearch port is 
9400. 


* Kafka: By default, it is configured with the CIS server IP and Kafka port is 9092. 
5 Click Next. 
6 Admin Context: Specify the following: 


* CIS Admin Name with Context: Specify the LDAP distinguished name (DN) of the user who 
administers the CIS server. For example, cn=admin,o=acme. 


* Admin Password: Specify the password for the CIS administrator. 


* Agent Search Context: Specify the LDAP distinguished name (DN) of the container object 
under which the NCP server objects of the OES server resides that connects to the CIS 
server. The OES server includes the agents that connects to the CIS server. The CIS admin 
user must have supervisory rights on this server context. 


7 Click Next. Review the configuration summary and then click Finish. 
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Modifying the Load, Unload, and Monitor Scripts 


1 Log in to iManager. 
2 Under Roles and Tasks, select Clusters > My Clusters, then select the cluster. 


If the cluster does not appear in your personalized list of clusters to manage, you can add it. 
Click Add, browse and select the cluster, then click OK. Wait for the cluster to appear in the list 
and report its status, then select the cluster. 


3 Onthe Cluster Manager page or Cluster Options page, select the cluster resource to view its 
properties, then click the Scripts tab. 


4 Click the Load Script, Unload, or Monitor Script links to view or modify the scripts. If you modify 
a script, click Apply to save your changes before you leave the page. 


Changes do not take effect until you take the resource offline, and bring it online again. 
4a Edit the load script for the Cluster Pool. Add the following lines to the existing load script 
before the exit 0 statement. 


* start CIS services 

exit on error /usr/bin/systemctl start oes-cis-fluentbit.service 
exit on error /usr/bin/systemctl start oes-cis- 
configuration.service 


# start CIS infra services 








exit on error /usr/bin/systemctl start oes-cis-zk.service 
exit on error /usr/bin/systemctl start oes-cis-elastic.service 
exit on error /usr/bin/systemctl start oes-cis-kafka.service 

* start CIS core services 

exit on error /usr/bin/systemctl start oes-cis-auth.service 
exit on error /usr/bin/systemctl start oes-cis-data.service 
exit on error /usr/bin/systemctl start oes-cis-metadata.service 
exit on error /usr/bin/systemctl start oes-cis-policy.service 
exit on error /usr/bin/systemctl start oes-cis-mgmt.service 
exit on error /usr/bin/systemctl start oes-cis-aggregator.service 
exit on error /usr/bin/systemctl start oes-cis-collector.service 
exit on error /usr/bin/systemctl start oes-cis- 
repaggregator.service 

exit on error /usr/bin/systemctl start oes-cis-repcollector.service 
exit on error /usr/bin/systemctl start oes-cis-gateway.service 


f check the services 






































exit on error /usr/bin/systemctl is-active oes-cis- 
fluentbit.service 

exit on error /usr/bin/systemctl is-active oes-cis- 
configuration.service 

exit on error /usr/bin/systemctl is-active oes-cis-zk.service 
exit on error /usr/bin/systemctl is-active oes-cis-elastic.service 
exit on error /usr/bin/systemctl is-active oes-cis-kafka.service 
exit on error /usr/bin/systemctl is-active oes-cis-auth.service 
exit on error /usr/bin/systemctl is-active oes-cis-data.service 
exit on error /usr/bin/systemctl is-active oes-cis-metadata.service 
exit on error /usr/bin/systemctl is-active oes-cis-policy.service 
exit on error /usr/bin/systemctl is-active oes-cis-mgmt.service 
exit on error /usr/bin/systemctl is-active oes-cis- 
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tive 


tive 


tive 





tive 





oes-cis- 
oes-cis- 
oes-cis- 


oes-cis-gateway.service 


Efirewall2.service 


Edit the unload script for the Cluster Pool. Add the following lines to the existing unload 
t/novell/ncs/lib/ncsfuncs statement: 





tl stop oes-cis-fluentbit.service 

tl stop oes-cis-auth.service 

tl stop oes-cis-data.service 

tl stop oes-cis-metadata.service 

tl stop oes-cis-policy.service 

tl stop oes-cis-mgmt.service 

tl stop oes-cis-aggregator.service 

tl stop oes-cis-collector.service 

tl stop oes-cis-repaggregator.service 
tl stop oes-cis-repcollector.service 
tl stop oes-cis-gateway.service 

tl stop oes-cis-configuration.service 
tl stop oes-cis-kafka.service 

tl stop oes-cis-elastic.service 

tl stop oes-cis-zk.service 


4c Edit the monitor script for the Cluster Pool. Add the following lines to the existing monitor 
script before the exit 0 statement. 
































exit on error /usr/bin/systemctl is-active oes-cis- 
fluentbit.service 

exit on error /usr/bin/systemctl is-active oes-cis-zk.service 
exit on error /usr/bin/systemctl is-active oes-cis-elastic.service 
exit on error /usr/bin/systemctl is-active oes-cis-kafka.service 
exit on error /usr/bin/systemctl is-active oes-cis-auth.service 
exit on error /usr/bin/systemctl is-active oes-cis-data.service 
exit on error /usr/bin/systemctl is-active oes-cis-metadata.service 
exit on error /usr/bin/systemctl is-active oes-cis-policy.service 
exit on error /usr/bin/systemctl is-active oes-cis-mgmt.service 
exit on error /usr/bin/systemctl is-active oes-cis- 
aggregator.service 

exit on error /usr/bin/systemctl is-active oes-cis- 
collector.service 

exit on error /usr/bin/systemctl is-active oes-cis- 
repaggregator.service 

exit on error /usr/bin/systemctl is-active oes-cis- 
repcollector.service 

exit on error /usr/bin/systemctl is-active oes-cis-gateway.service 
exit on error /usr/bin/systemctl is-active oes-cis- 
configuration.service 








Configure Infrastructure Services 


Choose this option to configure Apache Kafka, Apache ZooKeeper, and Elasticsearch in high 
availability (HA) mode. 


A multi node high availability configuration of infrastructure server helps to increase the efficiency 
and availability of the infrastructure server. It is mandatory to configure atleast three HA nodes. You 
can configure up to seven nodes. 


Prerequisites 
* Before you start with infrastructure services configuration, ensure that the requirements 
mentioned in Section 3.3, "CIS Requirements," on page 19 are met. 
* Ensure that you allocate sufficient disk space for the infrastructure server. 


+ Docker Swarm configuration is supported only on the ext4 file systems. 


Procedure 


1 To automatically make the server HA ready, click Start. 


After successful configuration, click OK. Re-login to the console to view the steps to complete 
the Infrastructure service configuration (using CLI). 


2 (Using CLI) To setup the Docker Swarm, perform the following on the terminal console of this 
server: 


2a Open a terminal console, then log in as a root user. 
2b Initialize a Docker Swarm using the following command: 


docker swarm init 
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28 


2c Create a token and add a manager to this swarm using the following command: 
docker swarm join-token manager 
Command output: 
docker swarm join --token «token value» <host_address:2377> 


Make a note of this command output, because the same output must be executed on all 
other HA nodes to join this Docker Swarm. 


2d After successful configuration, go to next HA node, perform step1 and then join this server 
to the Docker Swarm created on first node using the following command: 


docker swarm join --token «swarm token gererated from first node» 
«first node hostname»:2377 


Repeat this step on all the infrastructure server nodes. 
2e Onthe last HA node, start infrastructure services using the following command: 


sh /opt/novell/cis/bin/cis ext service.sh start 





After successful configuration of infrastructure services, continue with "Configure CIS Services" 
on page 28. 


Configure CIS Services 


Choose this option to configure CIS as a single node or a NCS (OES Cluster Services) cluster resource. 


Prerequisites 
* Before you start with CIS configuration, ensure that the requirements mentioned in Section 3.3, 
"CIS Requirements," on page 19 are met. 
* Ensure that the infrastructure services (in high availability mode) is configured. 


+ For CIS server to function in a cluster environment, ensure that all nodes are configured with 
OES 2018 SP2. Novell Cluster Services must be installed and running on the servers that have 
CIS installed. For information, see Installing, Configuring, and Repairing OES Cluster Services in 
the OES 2018 SP2: OES Cluster Services for Linux Administration Guide. 


* Create a dedicated pool resource and volume to run the CIS service. Ensure to cluster-enable 
the pool resource. 


Procedure 


1 Configuration Location: Specify the following: 


Configure CIS as a NCS cluster resource: Configures CIS in a cluster environment. By default, 
this option is enabled. 


* Hostname / IP address: Specify the server address for standalone and resource or virtual 
IP address or hostname of the NCS cluster resource where the CIS server is part of. 


* Configuration Path: Specify the NSS media path to store CIS configuration files and log 
files. For example, /media/nss/CISVOL. 
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2 Database: Specify the following: 
Select either MariaDB or MS SOL database. 


2a 
2b 


2c 
2d 


2e 


Specify the database host name or IP address and port. By default, the database port for 
MariaDB is 3306 and MS SQL is 1433. 


Specify the user name and password for the database. 


Connection Parameters: If your MS SQL is configured with connection parameters, specify 
the value.This is not a mandatory field. 


Use secure connection: Enables or disables the database connection to be secure. By 
default, this option is disabled. 


If MariaDB database is selected, ensure to meet the following prerequisites before 
proceeding in the GUI: 


1. 


Ensure to copy MariaDB client certificates to the CIS server at /etc/opt/novell/ 
cis/db/certs. 


In the MySQL configuration file (/etc/my.cnf) under the [mysqld] section, update 
the following paths: 


[mysqld] 

ssl=1 

ssl-ca-/etc/opt/novell/cis/db/certs/ca-cert.pem 
ssl-cert-/etc/opt/novell/cis/db/certs/client-cert.pem 
ssl-key-/etc/opt/novell/cis/db/certs/client-key.pem 


Client CA Certificate file path: Specify the path of client Certificate Authority (CA) file 
in .pem format. 


Client Certificate file path: Specify the path of the client certificate file in .pem 
format. 


Client Key file path: Specify the path of the key file associated with the client 
certificate in .pem format. 


3 Infrastructure Server Host name / IP address: Specify the host name or IP address of all the 
configured infrastructure server HA nodes. Separate multiple entries with a comma. 


4 Click Validate. If there are errors, ensure to resolve them before you proceed. 


5 CIS Admin Name with Context: Specify the LDAP distinguished name (DN) of the user who 
administers the CIS server. For example, cn=admin,o=acme. 


6 Admin Password: Specify the password for the CIS administrator. 


7 Agent Search Context: Specify the LDAP distinguished name (DN) of the container object under 
which the NCP server objects of the OES server resides that connects to the CIS server. The OES 
server includes the agents that connects to the CIS server. The CIS admin user must have 
supervisory rights on this server context. 


8 Click Next. Review the configuration summary and then click Finish. 





NOTE: If you have configured CIS on a single node, ignore the further steps. If you have 
configured CIS as a Cluster Resource, continue with Step 9 on page 29. 


9 When CIS is configured with cluster resource IP or hostname, you must replace the certificates 
in /etc/opt/novell/cis/certs with the certificate that you have created manually for CIS. 
To create the certificates manually, see Section C.1, "Creating Certificates for CIS," on page 83. 
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10 Modify the Load, Unload and Monitor script. 
10a Log in to iManager. 
10b Under Roles and Tasks, select Clusters » My Clusters, then select the cluster. 


If the cluster does not appear in your personalized list of clusters to manage, you can add it. 
Click Add, browse and select the cluster, then click OK. Wait for the cluster to appear in the 
list and report its status, then select the cluster. 


10c On the Cluster Manager page or Cluster Options page, select the CIS cluster resource to 
view its properties, then click the Scripts tab. 


10d Click the Load Script, Unload, or Monitor Script links to view or modify the scripts. If you 
modify a script, click Apply to save your changes before you leave the page. 


Changes do not take effect until you take the resource offline, and bring it online again. 


10d1 Edit the load script for the Cluster Pool. Add the following lines to the existing load 
script before the exit 0 statement. 


fupdate the links 


/bin/bash /opt/novell/cis/bin/update cislinks.sh cis «New media 
path» 


* start the services 
exit on error /usr/bin/systemctl start oes-cis-fluentbit.service 


exit on error /usr/bin/systemctl start oes-cis- 
configuration.service 


exit on error /usr/bin/systemctl start oes-cis-auth.service 
exit on error /usr/bin/systemctl start oes-cis-data.service 
exit on error /usr/bin/systemctl start oes-cis-metadata.service 
exit on error /usr/bin/systemctl start oes-cis-policy.service 


exit on error /usr/bin/systemctl start oes-cis-mgmt.service 





exit on error /usr/bin/systemctl start oes-cis- 
aggregator.service 


exit on error /usr/bin/systemctl start oes-cis-collector.service 


exit on error /usr/bin/systemctl start oes-cis- 
repaggregator.service 


exit on error /usr/bin/systemctl start oes-cis- 
repcollector.service 
































exit on error /usr/bin/systemctl start oes-cis-gateway.service 











# wait before checking their status 


sleep 5 
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10d2 





f check the services 


exit on error /u 


sr/bin/systemctl is-ac 
fluentbit.service 
S 
r 


exit on error /usr/bin/systemctl is-ac 
configuration.service 


exit on error /usr/bin/systemctl is-ac 
exit on error /usr/bin/systemctl is-ac 


exit on error /usr/bin/systemctl is-ac 
ror /usr/bin/systemctl is-ac 


exit on e 


exit on error /usr/bin/systemctl is-ac 


ror /usr/bin/systemctl is-ac 


ry UY 


exit on error /usr/bin/systemctl is-ac 





/usr/bin/systemctl is-ac 
service 


exit on error /usr/bin/systemctl is-ac 
tor.service 



































exit on error /usr/bin/systemctl is-ac 
gateway.service 














# restart firewall if its running 
Systemctl status SuSEfirewall2.service 


if [ $? -eq 0 ]; then 





tive oes-cis- 


tive oes-cis- 


tive oes-cis- 


tive oes-cis- 


tive oes-cis- 


tive oes-cis- 


tive oes-cis- 


tive oes-cis- 





tive oes-cis- 








ignore error systemctl restart SuSEfirewall2.service 


fi 


Edit the unload script for the Cluster Pool. Add the following lines to the existing 


unload script after the /opt/novell/ncs/lib/ncsfuncs statement: 
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tive oes-cis-auth.service 


tive oes-cis-data.service 


tive oes-cis-mgmt.service 
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ignore error /u 
ignore error /u 
ignore error /u 
ignore error /u 


ignore error /u 





ignore error /u 
ignore error /u 
ignore error /u 


ignore error /u 
repaggregator.s 


ignore error /u 
repcolle 


ignore error /u 





ignore error /u 























S 


ctor.service 


S 


configuration.se 


r/bin/sys 
r/bin/sys 
r/bin/sys 
r/bin/sys 
r/bin/sys 
r/bin/sys 
r/bin/sys 
r/bin/sys 


r/bin/sys 
rvice 


r/bin/sys 


r/bin/sys 








r/bin/sys 
rvice 














cemce 


cemce 


cemce 


cemce 


cemce 


cemce 


cemce 


cemce 


cemce 


cemce 


cemce 


cemce 





ET 


top 


top 


top 


top 


top 


top 


top 


top 


top 


top 


top 





top 


oes-cis-fluentbit.service 


oes-cis-auth.service 


oes-cis-data.service 





oes-cis-metadata.service 
oes-cis-policy.service 
oes-cis-mgmt.service 
oes-cis-aggregator.service 
oes-cis-collector.service 


oes-cis- 


oes-cis- 


oes-cis-gateway.service 


oes-cis- 


Edit the monitor script for the Cluster Pool. Add the following lines to the existing 
monitor script before the exit 0 statement. 


exit on 


exit on 
exit on 
exit on 


metadata.service 











exit on 
policy. 
exit on 
exit on 


| error / 


| error / 
| error / 
| error / 
error / 
service 
| error / 


| error / 








x sr/bin/system 
fluentbit.service 


sr/bin/system 
sr/bin/system 


sr/bin/system 


sr/bin/system 


sr/bin/system 








sr/bin/system 


aggregator.service 
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ctl 





is-active oes-cis- 


is-active 


is-active 


is-active 


is-active 


is-active 


is-active 


oes-cis-auth.service 
oes-cis-data.service 


oes-cis- 


oes-cis- 


oes-cis-mgmt.service 





oes-cis- 


exit_on error /usr/bin/systemctl is-active oes-cis- 
collector.service 


exit_on error /usr/bin/systemctl is-active oes-cis- 
repaggregator.service 


exit_on error /usr/bin/systemctl is-active oes-cis- 
repcollector.service 


exit_on error /usr/bin/systemctl is-active oes-cis- 
gateway.service 





























exit_on error /usr/bin/systemctl is-active oes-cis- 
configuration.service 








11 To add a new node to this cluster: 
11a Ensure that the CIS pattern is installed and updated with the latest patches. 
11b Ensure this node is part of the same cluster. 


11c Migrate the CIS resource to the new node. 


Configure Data Scale 


Choose this option to improve the latency of the data access. 


Prerequisite 


Before you start with CIS configuration, ensure that the requirements mentioned in Section 3.3, "CIS 
Requirements," on page 19 are met. 


Data and Gateway 


Choose this option to configure the data and gateway service on this server. It is recommended to 
select this option if this is the first data scale server getting configured, because the gateway service 
provides load balancing on the data service. 
1 Host names: Specify the following: 
1a Data Server: Displays the host name or IP address of the local server. 


1b Configure gateway as a NCS cluster resource: Enables or disables the gateway as a NCS 
cluster resource. By default, this option is enabled. 


* Ifthis option is enabled, specify the IP address of the NCS cluster resource where 
gateway is configured. 


+ If this option is disabled, the host name or IP address of the local server is displayed. 





NOTE: It is recommended to configure gateway as a cluster to avoid interruption of the 
service. 





2 General: Specify the following: 
2a CIS Server Address: Specify the host name or IP address where the CIS server is configured. 


2b Infrastructure Server Host name: Specify the host name or IP address of all the configured 
HA nodes. Separate multiple entries with a comma. 
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3 Certificates: Specify the following: 


3a eDirectory Server: Displays the CIS server host name and port where the eDirectory server 
is configured. By default, eDirectory server port is 524. 


3b Cluster Resource Host name: Specify the fully qualified domain name (FQDN) of a NCS 
cluster resource where the CIS server is part of. Separate multiple entries with a comma. 


3c Cluster Resource IP Address: Specify the virtual IP address of the NCS cluster resource 
where the CIS server is part of. Separate multiple entries with a comma. 


4 Click Next. Review the configuration summary and then click Finish. 


Data 


Choose this option to configure the server as a standalone data server or connect the data server to 
an existing gateway server. 


1 Host names: Specify the following: 


la Connect to Gateway server: Enables or disables the data server to connect to gateway. By 
default, this option is enabled. 


¢ If this option is enabled, displays the host name or IP address of the local server that 
will be connected to gateway. 


Gateway: Specify the host name or IP address of the server where gateway service is 
configured. 


+ If this option is disabled, the host name or IP address of the local server is displayed. 
2 General: Specify the following: 


2a CIS Server Address: Specify the host name or IP address of the server that is configured 
with CIS. 


2b Infrastructure Server Host name: Specify the host name or IP address of all the configured 
HA nodes. Separate multiple entries with a comma. 


3 Certificates: Specify the following: 


3a eDirectory Server: Displays the CIS server host name and port where the eDirectory server 
is configured. By default, eDirectory server port is 524. 


3b Cluster Resource Host name: Specify the fully qualified domain name (FQDN) of a NCS 
cluster resource where the CIS server is part of. Separate multiple entries with a comma. 


3c Cluster Resource IP Address: Specify the virtual IP address of the NCS cluster resource 
where the CIS server is part of. Separate multiple entries with a comma. 


4 Click Next. Review the configuration summary and then click Finish. 
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Gateway 


Choose this option to configure only the gateway service on this server. You can connect multiple 
data servers to this gateway server for load balancing between the OES agents and data services. 
1 Host names: Specify the following: 


la Configure gateway as a NCS cluster resource: Enables or disables the gateway as a NCS 
cluster resource. By default, this option is enabled. 


* Ifthis option is enabled, specify the IP address of the NCS cluster resource where the 
gateway is configured. 


+ If this option is disabled, the host name or IP address of the local server is displayed. 
2 General: Specify the following: 
2a CIS Server Address: Specify the host name or IP address where the CIS server is configured. 


2b Infrastructure Server Host name: Specify the host name or IP address of all the configured 
HA nodes. Separate multiple entries with a comma. 


3 Certificates: Specify the following: 


3a eDirectory Server: Displays the CIS server host name and port where the eDirectory server 
is configured. By default, eDirectory server port is 524. 


3b Cluster Resource Host name: If gateway is configured as a NCS clustered resource, specify 
the fully qualified domain name (FQDN) of a NCS cluster resource where the gateway 
server is configured. Separate multiple entries with a comma. 


Host name: Specify the fully qualified domain name (FQDN) of the local server. Separate 
multiple entries with a comma. 


3c Cluster Resource IP Address: If gateway is configured as a NCS clustered resource, specify 
the virtual IP address of a NCS cluster resource where the gateway server is configured. 
Separate multiple entries with a comma. 


IP Address: Specify the IP address of the local server. Separate multiple entries with a 
comma. 


4 Click Next. Review the configuration summary and then click Finish. 


43  Patching OES 2018 SP2 Update 8 


In OES 2018 SP2 Update 8, we are addressing security vulnerability log4j2 that impacts Elasticsearch. 
Elasticsearch stores data that is displayed in Insights and Dashboard pages of the CIS Admin Console. 


On patching the OES server to Update 8, you must perform the following steps to transfer the data 
from Elasticsearch 7.7 to 6.8.22: 


4.3.1 Standalone CIS Server 


Before applying the patch CIS server is running with Elasticsearch 7.7. Data is displayed in the 
Insights and Dashboard pages of the CIS Admin Console. 


1 Apply OES 2018 SP2 Update 8 patch, for more information, see OES 2018 SP2: Installation 
Guide. 


2 Restart the CIS server. 


Installing and Configuring Cloud Integrated Storage (CIS) 35 


36 


There will be no data displayed in the Insights and Dashboard pages of the CIS Admin Console. 


2a (Conditional) If the configuration path is /media/nss/CISVOL (cluster volume), then ensure 
the cluster volume is up and running. 


Verify the status of Elasticsearch 6.8.22. If not running, restart the service. 
Systemctl status oes-cis-elastic.service 

systemctl restart oes-cis-elastic.service 

Start Elasticsearch 7.7 and verify the status. 


systemctl start oes-cis-old-elastic.service 











systemctl status oes-cis-old-elastic.service 


Verify the health of CIS. 








cishealth 
Before proceeding ensure CIS is healthy. 


(Conditional) If the configuration path is a cluster volume, then move the configuration file from 
the cis local location to the media path (/media/nss/CISVOL). 


sh /opt/novell/cis/bin/copy upgraded files.sh 


Run the following command to move data from Elasticsearch 7.7 to Elasticsearch 6.8.22 





sh /var/opt/novell/cis/elastic move data.sh migrate 


The migration takes some time to complete. You can verify the logs at /var/opt/novell/ 
log/cis/cis elastic move <timestamp>.log. 





On successful transferring the data, the Insights and Dashboard pages of the CIS Admin Console 
will populate the existing data. 


44  Verifying the CIS Configuration 


After successful configuration of CIS and its infrastructure services, perform any one of the following: 


* Point your browser to https://«OES server IP address or host name»:8105 and click Admin 


Console link to go to CIS Administration login page. 
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+++ + + + CIS Configuration 
EE EE 


FE cn=admin,o=microfocus 


COLLABORATION Password 


LOGIN 


O The server is successfully configured. 


You can now access the Admin Console to manage CIS server. 


OR 


Point your browser to https://«OES server IP address or host name»:8344. 


+++ 
+++ 
+++ 
+ + + +++ CIS Administration 
t+ttttt+ 


User Name 
LS l 


COLLABORATION 





Password 


5t 


45  LUM Enabling CIS User and Group 


Perform the following steps to LUM-enable the CIS user and group: 


1 Delete the local CIS user. 


userdel cisuser 
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Verify if the CIS user is deleted. 

cat /etc/passwd | grep "cisuser" 
Delete the local CIS group. 

groupdel cisgroup 

Verify if the CIS group is deleted. 

cat /etc/group | grep "cisgroup" 
Create a Linux group object. 


namgroupadd [-a adminFDN] - x group context -W workstation name 
group name 


For example, namgroupadd -a cn-admin,o-microfocus -x o-microfocus cisgroup 
-W acme-111-129 


Create a Linux user object 


namuseradd [-a adminFDN] -x user context [-c comment] -g 
primary groupFDN [-s shell] login name 


namuseradd -a cn=admin,o=microfocus -x o=microfocus -c cisuser -g 
cn=cisgroup,o=microfocus -s /sbin/nologin cisuser 





The namuserlist utility lists the attributes of Linux User objects. 
namuserlist cisuser 

Start Linux User Management. 

rcnamcd restart 


Start Name Service Cache Daemon. 








rcnscd restart 


To give rights to the log folder. 





rights -f /media/nss/CISVOLUME/var/opt/novell/log/cis -r rwfcem trustee 
cisuser.microfocus.oes 


To give rights to the configuration folder. 


rights -f /media/nss/CISVOLUME/etc/opt/novell/cis -r rwfcem trustee 
cisuser.microfocus.oes 
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5 Upgrading Cloud Integrated Storage (CIS) 


To complete the upgrade from OES 2018 SP1 standalone CIS (configured) server to OES 2018 SP2: 


1 


Follow the step-by-step instructions for upgrading to OES 2018 SP2 server. For more 
information, see Upgrading to OES 2018 SP2 in the OES 2018 SP2: Installation Guide. 


Ensure the database that you configured for CIS is up and running. 
2a If it is a local database, verify the status of the database service: 
systemctl status mysql.service 
2b Enable and restart the database: 
systemctl enable mysql.service 
systemctl restart mysql.service 
Verify the if the logging service is up and running: 
systemctl status oes-cis-fluentbit.service 
If it is not running, start the service: 
systemctl start oes-cis-fluentbit.service 


Start the Reporting Collector service: 

















systemctl start oes-cis-repcollector.service 

Ensure all the CIS services are running, by executing the following command: 
docker ps -a 

This displays the status of all the CIS services. 

To verify the health of the CIS server, run the follow: 

cishealth 

When the status displays “Healthy”, then the CIS server is successfully upgraded. 





NOTE: The upgrade takes time to complete depending on the size of the database getting 
migrated from the OES 2018 SP1 server. During this phase, the CIS health might display the 
status of some services as “Not Healthy” because the scanned data is getting updated. On 
completing the update, the health status changes to “Healthy”. 





Verify the status of the CIS agent and scanner service on the OES servers and ensure it is 
running. 


* systemctl status oes-cis-agent.service 


* systemctl status oes-cis-scanner.service 
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6.1 


Management Tools for CIS 


This section provides an overview of the management tools for Cloud Integrated Storage (CIS) in 
Open Enterprise Server (OES). 


* Section 6.1, "Managing CIS," on page 41 


Managing CIS 


Cloud Integrated Storage (CIS) management console allows you to move the NSS data to cloud 
storage. It also allows you to define policies for data migration and view statistic information on 
migration, files migrated and recalled. 





IMPORTANT: The CIS management login page (https://«OES server IP address or the host 
name>:8344) works only if CIS is configured. 





Prerequisites 
Before you start using the CIS management console, ensure that the following prerequisites are met: 


* Supported web browsers: 
* Mozilla Firefox 
* Google Chrome 
* Internet Explorer 
* Microsoft Edge 
* Apple Safari 
* Ensure that a cloud account is created and you have details of the access key and secret key. 


* |f you use cloud account with SSL support and create certificate signed by different CA (other 
than eDirectory CA), copy the CA bundle (.pem format) in /etc/opt/novell/cis/certs/ 
rootCAs and add the CA bundle file name in CLOUD CA BUNDLE NAME in the /etc/opt/ 
novell/cis/config file. 














For example: 





CLOUD CA BUNDLE NAME-"Cloudl-CA.pem" 














NOTE: If you have multiple cloud accounts with SSL support, concatenate CAs (.pem format) of 
the cloud accounts and add the concatenated CA bundle name in CLOUD CA BUNDLE NAME in 
the /etc/opt/novell/cis/config file. 

















After configuring the /etc/opt/novell/cis/config file, ensure to restart the data service 
using the following command: 


systemctl restart oes-cis-data.service 
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In data scale scenario, repeat the same steps on all the servers where data service is running. 
The config file path in data scale is /etc/opt/novell/cis-scale. 


After configuring the /etc/opt/novell/cis-scale/config file, ensure to restart the data 
scale service using the following command: 


systemctl restart oes-cis-dataatscale.service 





NOTE: This prerequisite is not applicable in AWS S3, as secure communication is taken care 
without the CLOUD CA BUNDLE NAME parameter. 

















Ensure that all the CIS services and its infrastructure services are up and running. 

Verify whether the CIS agents are up and running. The CIS agents includes the following: 
oes-cis-agent.service 

oes-cis-recall-agent.service 

oes-cis-scanner.service 


For example, 


blr7-userl:/lib/modules/4.4.21-69-default/kernel # systemctl status 
oes-cis-agent.service 
e oes-cis-agent.service - CIS agent for OES 
Loaded: loaded (/usr/lib/systemd/system/oes-cis-agent.service; 
enabled; vendor preset: disabled) 
Active: active (running) since Wed 2017-06-14 19:01:09 IST; 1 day 23h 
ago 
Main PID: 17177 (cisagents) 
Tasks: 107 (limit: 512) 
CGroup: /system.slice/oes-cis-agent.service 
L-17177 /opt/novell/cis/bin/cisagents 








un 16 10:53:43 blr7-userl cisagents[17177]: Entry name 
EST1/DESKTOP.AFP/ICON/736F646D5458455 
un 16 10:53:43 blr7-userl cisagents[17177]: Entry name = /media/nss/ 
EST1/DESKTOP.AFP/ICON/736F646D666C726 
un 16 10:53:43 blr7-userl cisagents[17177]: Entry name = /media/nss/ 
EST1/~DFSINFO.8-P 
un 16 11:07:26 blr7-userl cisagents[17177]: 2017/06/16 11:07:26 Number 
f Components: 3 
un 16 11:07:26 bl 
EST1/BB/krb5.conf 
un 16 11:07:26 blr7-userl cisagents[17177]: Entry name 
EST1/DESKTOP.AFP/1C0N/736F646D414E494 
un 16 11:07:26 blr7-userl cisagents[17177]: 
EST1/DESKTOP.AFP/ICON/736F646D4C50504 
un 16 11:07:26 blr7-userl cisagents[17177]: Entry name 
EST1/DESKTOP.AFP/ICON/736F646D5458455 
un 16 11:07:26 blr7-userl cisagents[17177]: Entry name 
EST1/DESKTOP.AFP/ICON/736F646D666C726 
un 16 11:07:26 blr7-userl cisagents[17177]: 
TEST1/~DFSINFO.8-P 


/media/nss/ 





HG 








H Cj 














O Cj H Cj 


Uy 


T-userl cisagents[17177]: Entry name /media/nss/ 


ro 


/media/nss/ 





H Cj 





/media/nss/ 


E 


ntry name 





ares 





/media/nss/ 





HG 








/media/nss/ 

















H Cj 




































































/media/nss/ 


E 


q 


ntry name 








Similarly, verify the status of other two CIS agents. 


If CIS agents are not running, restart all 3 agents by entering the following command: 
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6.1.2 


systemctl start oes-cis-agent.service 
systemctl start oes-cis-recall-agent.service 


systemctl start oes-cis-scanner.service 


Data Migration Using CIS Management Console 


1. Configure the cloud account. For more information, see Section 6.1.2, "Accounts," on page 43. 
2. Create a policy. For more information, see Section 6.1.3, "Policies," on page 44. 

3. Configure the tier. For more information, see Section 6.1.4, "Tiers," on page 47. 
4 


. View the status of data migration. For more information, see Section 6.1.5, "Dashboard," on 
page 51. 


Insights 


The CIS welcome page provides the network level view of total number of volumes available on the 
OES servers that is configured with CIS, total number of files available, and total space used by those 
files. Based on the access time or modification time, the Data Summary section displays the 
percentage of hot and cold data available on all the volumes and lets you do the following: 


* View the percentage of hot and cold data (based on access time or modification time) by 
moving the data slider. 

* Setthe age of the hot and cold data (based on access time and modification time) by moving 
the time slider. 


Click E» to view the updated scan details of all the CIS agents. You can use this page to discover the 
top five volumes that contain more cold data, the top five users with more cold data, and the top 
five file types available as part of that cold data. Overall, this page provides the user with the insights 
of data available in their organization and use this information to create policies. 


Click any volume in Top Cold Volumes or the HOT/COLD chart to view the volume specific summary. 
Click on volumes count at the top to go to volume summary information page. 


Accounts 


Configure and manage the cloud account to which you are planning to migrate the data. 


+ "Configuring Cloud Account" on page 44 


* "Managing Cloud Accounts" on page 44 
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Configuring Cloud Account 


Click the Accounts tab, the Cloud Accounts page is displayed. 


1 Click 4 to configure the cloud account. 
2 Specify the following: 
2a Account Name: Specify the cloud account name. 
2b Account Type: Select one of the following: 
* AWS S3 
* S3 Compatible 


Endpoint: This parameter is displayed only if you select the S3 Compatible. Specify the 
URL of the cloud server. 


2c Region: Select the region name where the cloud server is available. 
2d Access Key: Specify the access key of the cloud account. 
2e Secret Key: Specify the secret key of the cloud account. 

3 Click SAVE. 


Managing Cloud Accounts 
Click the Accounts tab to view all the configured cloud accounts. 
* To modify the cloud account information: 


1. Click O on the cloud account you want to modify. 
2. Click UPDATE. 


* To delete the cloud account: 


1. Click Ki] on the cloud account you want to delete. 





NOTE: You cannot delete the account on which the data migration is already performed. 





2. Click OK. 


6.13 Policies 


The data is migrated using the policies that are created based on the last accessed time, modified 
time, file type, file size, and so on. 


* "Creating a Policy” on page 45 


* "Managing Policies" on page 46 
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Creating a Policy 


Click the Policies tab, the Policies page is displayed. 


1 Click 4 to create a policy. 
2 Specify the name and description for the policy. 
3 Select the required rule. 

The following are sample use cases: 


* Use Case 1: To migrate data that is not accessed for more than 120 days. 


Rules Value Unit Operation 
Files not accessed since 120 days End 

OR 

Rules Value Unit Operation 
Files not accessed since 4 months End 


* Use Case 2: To migrate data that is not modified for the last two years. 


Rules Value Unit Operation 


Files not modified since 2 years End 


* Use Case 3: To migrate all the files with . doc and .pdf extension. 


Rules Value Operation 


File name matches * doc,*.pdf End 


* Use Case 4: Consider you have six files with names data, user1 data, 2017 data, 16- 
may data, may-17 data, and data32. To migrate files with file names containing a 
matching string. 


Rules Value Operation 


File name matches *data* End 


After running this policy, all the six files are successfully migrated. 


* Use Case 5: To migrate all the files that are less than 1 MB in size. 


Rules Value Unit Operation 


File size is less than 1 MB End 
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+ Use Case 6: To migrate all the files and folders that are available in a specific file path. 


Rules Value Operation 


File path contains /data1/secret End 





NOTE: Ensure that the path provided is from the root of the volume. 





4 (Optional) Create multiple rules for the same policy using the following: 
+ And: Performs And operation between the selected and next rule. 
+ Or: Performs Or operation between the selected and next rule. 


+ New group: Adds a new group and use And or Or option between these two groups. You 
can create any number of groups and add multiple rules for the same group. 


+ Delete: Deletes the selected rule. 
+ End: Deletes all the rules that follows the selected rule. 


For example, to migrate all the data except PDF files larger than 10 MB and less than 6 months 


old: 
Rule Value Unit Operation 
File not accessed since 6 months And 
File size is less than 10 MB And 
File name does not * pdf - End 
match 

5 Click SAVE. 


Managing Policies 
Click the Policies tab to view all the policies. 
+ To modify the policy: 


1. Click policy name or A on the policy you want to modify. 
2. Click UPDATE. 
+ To delete the policy: 


1. Click Ki] on the policy you want to delete. 





NOTE: You cannot delete the policy that you have used to migrate data. 





2. Click OK. 
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Tiers 


It includes: 


* "Tiers" on page 47 


* "Migrate from DST" on page 49 


Tiers 


By configuring the cloud tier, you are associating the primary storage (data on OES server) and cloud 
storage to perform the data migration. Using tier configuration, you can run the policy at a 
scheduled time. 


+ “Configuring Cloud Tiers” on page 47 


* "Managing Cloud Tiers" on page 48 


Configuring Cloud Tiers 


Click the Tiers tab, then click Tiers. 


1 Click + to configure the tier. 


2 Specify the following: 


2a 


2b 
2c 
2d 


2e 
2 


> 


28 
2h 


Server: Select the OES server. This lists the OES servers that are configured with CIS server 
where agent is running and also includes the cluster resources. 


Volume: Select a volume. 
Endpoint: Select the required cloud account name. 


Bucket Name: Specify the bucket name used to store the migrated data. The bucket name 
can be obtained from your cloud account. 


Region: Select the region where the specified bucket name is available. 


Encryption: To enable this parameter, configure the encryption settings. If enabled, 
encrypts the migrated data in the cloud storage. 


For more information on encryption settings, see "Encryption" on page 55. 
Policy: Select the required policy to be applied. 


Schedule: Select the schedule type based on how frequently the policy should be run for 
the tier. It includes the following: Daily, Weekly, Monthly, Once, and None. 


As a best practice, you can limit the duration of run to four hours everyday or run during 
the weekend to minimize the load on the OES servers. It is recommended that you do not 
migrate the data when users are accessing the data. 


To limit the duration of the schedule run, select Time duration for the schedule run option 
and specify the time duration. 


3 Click SAVE. 





NOTE: The secondary volume or CBV (Cloud Backed Volume) is automatically created after the tier 
configuration. 
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Managing Cloud Tiers 


Click the Tiers tab to view all the cloud tiers. Before to estimate the total migrate or recall data 
before the actual run. 


+ |f the schedule type is None, click ©) to start the data migration. 


+ To stop the data migration, click the rotating icon (€, 
The next time, you start the data migration process for the same tier, the remaining data is 
migrated to the cloud storage. 

* Torerun the policy for the tier, click G. 


* To view statistics for the tier: 


1. Click”. 


Displays information of the migrated files from the previous job run (each time the 
schedule starts at a specified time, a new job run is created). The statistic information 
includes: 


* Status: Provides the status of data migration. 

* Start Time: Provides the data migration start time. 

* End Time: Provides the data migration completion time. 

* Files Migrated: The total number of files migrated. 

¢ Data Size: Lists the overall size of the data migrated for each volume. 
For more information on detailed reports, see "Dashboard" on page 51. 


2. If no files are migrated, click Last Run to view the statistic information for the previous job 
run. 


* To modify the tier: 


1. Click P d on the tier you want to modify. 
2. Select the policy type for tier run. It includes: 
* Migration Policy: Migrates the data (that satisfies the policy selected) to the cloud. 
* Recall Policy: Recalls the data (that satisfies the policy selected) from the cloud. 
* Free Space Calculation: Calculates (dry run) the amount of data that will be migrated 


to the cloud. Before performing the migration, ensure that enough space is available 
on the cloud. 


* Recall Space Estimation: Calculates (dry run) the amount of data that will be recalled 


from the cloud to your Primary volume. Before performing the recall, ensure that 
enough space is available on your Primary volume. 


3. Click UPDATE. 


* To delete the tier: 


1. Click Ki] on the tier you want to delete. 


If data migration is not performed on this tier, click OK to delete. 
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If data migration is performed on this tier, select the desired action. 


* Recall files and delete: This recalls all files (migrated as part of this tier) from the 
cloud and automatically deletes the tier. 


* Force delete: This deletes the tier and CBV volume associated with this tier without 
recalling files. The data (migrated as part of this tier) is lost and cannot be recovered. 


. If you select the Recall files and delete action, choose the schedule to recall files and then 


click Recall. 
OR 


If you select the Force delete action, click Delete. 


Migrate from DST 


Based on the DST migrate tier details, the data is migrated from the DST shadow volume to the cloud 
storage. By default, an internal policy is applied to migrate all files in the DST shadow volume. 


+ "Configuring DST Migrate Tier" on page 49 


* "Managing DST Migrate Tiers" on page 50 


Configuring DST Migrate Tier 


Click the Tiers tab, then click Migrate from DST. 





NOTE: Before configuring the DST tier, ensure to disable the DST policies. For more information, see 
Chapter 7, "Migrating DST Volumes to Cloud," on page 57. 





1 Click —— to configure the tier. 


2 Specify the following: 


2a 


2b 
2c 
2d 


2e 
2f 


2g 


Server: Select the OES server. This lists the OES servers that are configured with CIS server 
where agent is running and also includes the cluster resources. 


Volume: Select a volume. 
Endpoint: Select the required cloud account name. 


Bucket Name: Specify the bucket name used to store the migrated data. The bucket name 
can be obtained from your cloud account. 


Region: Select the region where the specified bucket name is available. 


Encryption: To enable this parameter, configure the encryption settings. If enabled, 
encrypts the migrated data in the cloud storage. 


For more information on encryption settings, see “Encryption” on page 55. 


Schedule: Select the schedule type based on how frequently the policy should be run for 
the tier. It includes the following: Daily, Weekly, Monthly, Once, and None. 
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As a best practice, you can limit the duration of run to four hours everyday or run during 
the weekend to minimize the load on the OES servers. It is recommended that you do not 
migrate the data when users are accessing the data. 


To limit the duration of the schedule run, select Time duration for the schedule run option 
and specify the time duration. 


3 Click SAVE. 





NOTE 
* The secondary volume or CBV (Cloud Backed Volume) is automatically created after the tier 
configuration. 


+ Ifthe primary volume is AD enabled, ensure that the CBV created for the corresponding primary 
volume is also AD enabled using NSS tools or utilities. 





Managing DST Migrate Tiers 


Click the Tiers tab to view all the DST migrate tiers. 


+ |f the schedule type is None, click ©) to start the DST migration. 


+ To stop the DST migration, click the rotating icon ©) 
The next time, you start the DST migration process for the same tier, the remaining data is 
migrated to the cloud storage. 

+ To rerun the policy for the DST tier, click cz 


+ To view statistics for the DST tier: 


1. Click”. 


Displays information of the migrated files from the previous job run (each time the 
schedule starts at a specified time, a new job run is created). The statistic information 
includes: 


+ Status: Provides the status of data migration. 

+ Start Time: Provides the data migration start time. 

+ End Time: Provides the data migration completion time. 

* Files Migrated: The total number of files migrated. 

+ Data Size: Lists the overall size of the data migrated for each volume. 
For more information on detailed reports, see “Dashboard” on page 51. 


2. If no files are migrated, click Latest Migration to view the statistic information for the 
previous job run. 


* To modify the DST tier: 


1. Click O on the DST tier you want to modify. 
2. Click UPDATE. 
+ To move the DST tier to cloud tier, perform the following: 


1. After migrating all the files to cloud, remove the DST pair. For more information, see 
Chapter 7, “Migrating DST Volumes to Cloud,” on page 57. 


Management Tools for CIS 


6.1.5 


6.1.6 


2. Click 7% on the DST tier. 
3. Select the required policy and click MIGRATE. 
The DST tier is no longer listed in Migrate from DST. Instead, it is listed in Tiers. 
+ To delete the DST tier: 


1. Click i on the DST tier you want to delete. 
2. Click OK. 


Dashboard 


The Dashboard page displays the following: 


* File Size: Total size of files migrated and recalled. 
* File Count: Total number of files migrated and recalled. 


* Graphical Representation of Files Migrated and Recalled: Displays a line graph for both files 
migrated and recalled. The horizontal axis (x-axis) represents the migrated or recalled time, 
whereas the vertical axis (y-axis) represents the data size. Click on the files migrated or recalled 
value and zoom in to view the exact time the individual files are moved. 


* Select Date: Click on date icon at the top right corner to select a date and to view the 
information of files migrated and recalled on the selected dates. The date selection option is 
available on Dashboard and Statistics page. 


Click the file size or file count to go to Volumes page. The Volumes page displays the total size of files 
migrated, recalled, and a graphical representation of the same in the form of pie graph for each 
volume. 


Click on a volume or pie graph to go to Statistics page. The Statistics page displays the file size, file 
count, and a graphical representation of files migrated and recalled for a specific volume. Click More 
Details to view the detailed information of files migrated and recalled. The migrated files are 
displayed based on the run ID (ID generated for every policy/job run on each tier). Select the run ID 
to view the information of migrated files for a specific job (policy run for a specific volume). 


Roles 


Configure roles for the user or group objects that belongs to eDirectory to manage CIS. 





NOTE: Active Directory user or group objects are not supported. 





+ "Configuring Roles" on page 51 


* "Managing Roles" on page 52 


Configuring Roles 





NOTE: Before configuring the Roles, create a proxy user using iManager and specify that user in 
Proxy User Name under the Settings » Proxy User and Context tab. For more information, see "Proxy 
User and Context" on page 54. 
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Click the Roles tab, the Roles page is displayed. 


1 Click z to configure the role. 

2 Specify the following: 
2a Name: Specify the eDirectory object name. 
2b Type: Select either User or Group. 
2c Role: Select the required access: 


+ Read Admin: The user or group objects can only view the cloud account, policy and 
tier information. 


+ Execute Admin: The user or group objects can configure cloud account, create policy, 
and configure cloud tier. 


+ Root Admin: The user or group objects can configure cloud account, create policy, 
configure cloud tier, configure roles and modify the CIS server and agent settings. 


3 Click SAVE. 


Managing Roles 
Click the Roles tab to view all the roles configured. 
* To modify the role: 


1. Click O on the role you want to modify. 
2. Click UPDATE. 


+ To delete the role: 


1. Click Ki] on the role you want to delete. 
2. Click OK. 


6.1.7 Agents 


This page allows you to set the configuration for OES server agents and scanners. Click the Agents 
tab, the Agent Settings page is displayed. It includes: 


+ "Global Configuration for All Agents" on page 52 
+ "Configuration for Each Agent” on page 53 
* "Global Configuration for All Scanners" on page 54 


+ "Configuration for Each Scanner" on page 54 


Global Configuration for All Agents 


This section lists the common configuration for all the CIS agents on OES servers that is connected to 
CIS server. It includes the following: 


* Port: Specify the port through which all the CIS agents on OES servers communicate to CIS 
server. The default value is 8000. 
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NOTE: If you are modifying the port, ensure to close the existing port. 


+ Log Level: Select the log level for all the CIS agents. The options are: Panic, Fatal, Error, Warn, 
Info, and Debug. The default log level is Info. 


* Throttling: Click toggle button (On) to regulate the data transfer rate of the recalled files. By 
default, it is Off. It includes: 


* Duration: Specify the time interval in seconds within which the specified number of files in 
File Limit should be recalled. The default value is 60 seconds. 


* File Limit: Specify the total number of files to be recalled within the specified Duration. The 
default value is 100. 


For example, consider a scenario where the Duration as 30 seconds and File Limit as 60, which 
indicates maximum 60 files can be recalled at any given point in time depending on the file size 
and network bandwidth. Assuming that if 60 files are recalled in first 10 seconds, then the time 
taken to recall the remaining files is based on the following rule: 


Recall rate per file = Duration/File Limit = "n" seconds, which means 30/60 = 0.5 seconds. 





NOTE: Ensure to restart the recall agent for throttling changes to take effect. 


* Online/Offline: Enables or disables the data recall on all the CIS agents. By default, it is set to 
Online. 


* Enabled/Disabled: Enables or disables the data migration and recall on all the CIS agents on 
OES server that is connected to CIS. By default, it is Enabled. 


If disabled, it brings down all the CIS agents. To enable the CIS agents again, set toggle button to 
Enabled, click SAVE and then manually login to the OES servers and restart the CIS agent service 


After setting the global configuration, click SAVE. 


Configuration for Each Agent 


This section lists all the CIS agents on OES server that is connected to the CIS server. It provides the 
setting parameters for individual CIS agent. 


NOTE: The agents in the highlighted rows will be configured with the global agent configuration. 





* Agent Name: Displays the CIS agent name on OES server that is connected to CIS. 


* Data Server: Select the required CIS data server URI through which the CIS agent should 
communicate to. By default, the CIS server URI is displayed 


* Port: Specify the port through which the CIS agent on OES server should communicate to CIS 
data server. The default value is 8000. 





NOTE: If you are modifying the port, ensure to close the existing port. 





* Log Level: Select the log level for the CIS agent. The options are: Panic, Fatal, Error, Warn, Info, 
and Debug. The default log level is Info. 


* Agent State: This includes the following: 


* Online/Offline: Enables or disables the data recall on that CIS agent. By default, it is set to 
Online. 
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+ Enabled/Disabled: Enables or disables the data migration and recall on that CIS agent. By 
default, it is Enabled. 


If disabled, it brings down the CIS agent. To enable the CIS agent again, set toggle button to 
Enabled, click SAVE and then manually login to the OES server and restart the CIS agent 
service. 


After setting the agent configuration, click SAVE. 


Global Configuration for All Scanners 


This section lists the common configuration for all the CIS scanners on OES servers that is connected 
to CIS server. It includes the following: 


+ Schedule: Select the schedule type based on how frequently the scanner should run on OES 
servers. It includes the following: Daily, Weekly, Monthly, Once, and None. 


To limit the duration of the schedule run, select Time duration for the schedule run option and 
specify the time duration. 


+ Incremental Scanning: Allows you to perform a full scan or a incremental scan on the OES 
volumes. By default, it is Disabled. If enabled, performs the differential scan from the previous 
full scan on the OES volumes. 


After setting the global configuration, click SAVE. 


Configuration for Each Scanner 


This section lists all the CIS scanners on the OES servers that is connected to the CIS server. It 
provides the setting parameters for individual CIS scanner. 


+ To immediately trigger a file scan, go to specific OES server and click ©). 
* To modify the scheduled scan: 


1. Click d on the OES server you want to modify. 
2. Select the schedule type. 
3. Click UPDATE. 


After setting the agent configuration, click SAVE. 


6.1.8 Settings 


This page allows you to set the configuration for CIS server. Click the Settings tab, the CIS settings 
page is displayed. It includes: 


* "Proxy User and Context" on page 54 
* "General" on page 55 


* "Encryption" on page 55 


Proxy User and Context 


Includes the following: 
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IMPORTANT: The root admin must have the following rights: 


* Rights to modify the cishost-info attribute on the server context. 


* Supervisory rights on the proxy user of eDirectory object, if root admin needs to update the 
proxy DN. 





¢ CIS Server Context: By default, it is obtained from the CIS configuration. Displays the fully 
distinguished name of the context under which the OES server objects that can connect to the 
CIS server reside. For example, ou=wdc,o=acme is set as context indicates that any server within 
this context can connect to CIS. 


* Administrator Search Context: Specify the context of the administrator user or group object 
where you can configure roles for a specific user or group. For example, if o=acme is set as 
search context, the authentication object is searched only within this context. 


* Proxy User Name: Specify the proxy user used by the CIS server for users or groups lookup. The 
proxy user should have read and compare permissions for CN attribute on the Administrator 
Search Context configured. The proxy user password is reset and maintained by the CIS server. 
This proxy user should be used to manage only CIS. 


After configuring the context settings, click SAVE. 


General 
Includes the following: 


* Secondary Volume Suffix Pattern: Specify the name that needs to be suffixed with the 
secondary volume name. The default value is CBV. For example, if the primary volume name is 
VOL1, the secondary volume name is VOL1 CBV. 


* Log Level: Select the log level for CIS services. The options are: Panic, Fatal, Error, Warn, Info, 
and Debug. The default log level is Info. 


After configuring the general settings, click SAVE. 


Encryption 


CIS supports pool-based encryption and generates a pool of keys for data encryption. It includes the 
following: 


* Key Size: Select the AES encryption key size based on your requirement. 


¢ Pool Size: Specify a valid integer. Based on the specified value, the corresponding pool of keys 
are generated and used for data encryption. The minimum pool size value is 127. 


After configuring the encryption settings, click SAVE to generate the pool of keys. To again generate a 
new pool of keys for a different Pool Size values, click REGENERATE. 
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Data Servers 


The data servers page displays the following: 


* 


* 


Lists all the gateway servers and the data servers that are connected to the individual gateway 
server. It also displays the corresponding CIS agents configured for all the gateway servers. 


Lists all the standalone data servers and corresponding CIS agents configured to a standalone 
data server. 


Health Indicator 


The CIS health indicator shows the current server health status as healthy, partially healthy, or not 
healthy. Click the server health icon at the top right corner to display the CIS Health Status window. 


The CIS health status displays the status of the following: 


* 


* 


* 


* 


* 


Summary: Displays the overall status of the CIS server. 

Services: Displays the status of all the CIS services. 

Gateway: Displays the connection status between the CIS gateway and CIS services. 
Infrastructure: Displays the status of ZooKeeper, Elasticsearch, Kafka, and Database. 


Configuration: Displays the status of docker daemon, docker network for CIS, CIS network in 
iptables - Firewall, network masquerading for CIS, CIS ports, and logging service. 


If the server health status is not good, click FIX to fix the issues. Similarly, to get the updated health 
status of CIS server, click REFRESH. 
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Migrating DST Volumes to Cloud 


This section describes about how to migrate DST local and cluster volumes to cloud storage. 


The following video demonstrates how to migrate DST cluster volumes to the cloud using CIS: 


p^ http://www.youtube.com/watch?v=3-A9wYtUQt8 


Prerequisites 
+ Ensure to salvage the required files available in the DST shadow volume. Otherwise, the 
salvageable files are not migrated to cloud during the tier run. 


* It is recommended to take a backup of the DST shadow volume before performing the DST 
migration. 


+ Ensure that all the active and running DST policies are completed or stopped. 


* |n OES Remote Manager, under Manage NCP Services > Manage Server, ensure to set the DST 
parameter information as follows: 

















REPLICATE PRIMARY TREE TO SHADOW: 1 
SHIFT ACCESSED SHADOW FILES: 0 

SHIFT DAYS SINCE LAST ACCESS: 0 
S 
D 
D 





























HIFT MODIFIED SHADOW FILES: 1 
UPLICATE SHADOW FILE ACTION: 0 
UPLICATE SHADOW FILE BROADCAST: 0 
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Figure 7-1 Migrating DST Volumes to Cloud 
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Procedure 


1 Using CIS management console, associate the DST volumes to CIS tier. For more information, 
see “Migrate from DST” on page 49. 


2 Migrate the DST shadow volume data to cloud. 
3 Remove the DST pair. 


3a To remove the shadow relationship for local DST volume pair, see Removing the Shadow 
Relationship for a Non-Clustered DST Shadow Volume in the OES 2018 SP2: Dynamic 
Storage Technology Administration Guide. 


3b To remove the shadow relationship for clustered DST volume pair, perform the following: 


3b1 Remove the shadow definition for the DST shadow volume pair and NCP bindings 
exclusion for the secondary volume on each node. For more information, see 
Removing the Shadow Definition and NCP/NSS Bindings Exclusion on All Nodes in the 
OES 2018 SP2: Dynamic Storage Technology Administration Guide. 


3b2 In the primary pool cluster resource scripts, remove (or comment out) the lines for the 
management of the secondary pool and secondary volume. For more information, see 
Preparing the Primary Pool Cluster Resource for Independent Use in the OES 2018 
SP2: Dynamic Storage Technology Administration Guide. 


3b3 Online the pool with shadow volume. For more information, see Modifying the 
Secondary Pool Cluster Resource in the OES 2018 SP2: Dynamic Storage Technology 
Administration Guide. 


4 Ensure that the primary volume, shadow volume, and CBV are mounted. 


5 Using CIS management console, perform switch operation to move the DST tier to cloud tier. For 
more information, see "Managing DST Migrate Tiers" on page 50. 
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Working with CIS Client 


On Mac OS X, when you use List view, Column view, or Gallery view options in Finder to preview the 
files that are uploaded to the cloud, the files get downloaded from the cloud. This unwanted 
download of files fills up your local storage. To avoid this, Open Enterprise Server CIFS provides a 
feature that can be enabled by using the novci £s utility. Enabling this feature with the CIS client on 
Mac OS X allows you to preview the files uploaded to the cloud. 


Enabling this feature with the CIS client on Windows workstation allows you to access the files 
uploaded to the cloud. This client also provides an enhancement to the overlay icon on the files 
uploaded to the cloud. This overlay icon helps to differentiate the local files and the files uploaded to 
the cloud. 


To use the CIS client, ensure to enable the --block-unmanaged-cis-reads option by using the 
novcifs utility. If the client is not installed then you cannot access the files uploaded to the cloud. 
Only the administrator can modify this feature on the OES server. 


The CIS client solves all these problems: 


* Allows you to display cloud overlay icon on the files uploaded to the cloud (Windows 
workstation). 


* Access to the files uploaded to the cloud (Windows and Mac workstation). 


CIS Client Support Matrix 


CIS client can be installed on Windows and Mac workstation. The following are the requirements for 
installing and running CIS client: 


* Windows: Windows 10 
* Mac: Mac OS X 10.14 and later 


Accessing and Installing CIS Client 


Go to OES Welcome page (http://«OES server IP Address or the host name>/welcome/client- 
software.html) and download the CIS client based on your operating system. It includes: 


* CIS Client for Windows 
* CIS Client for Mac 


This section explains how to install the CIS client on both Windows and Mac workstation. 


* Section 8.1, "CIS Client for Windows," on page 62 
* Section 8.2, "CIS Client for Mac," on page 63 
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8.1 


8.1.1 


8.1.2 


8.1.3 


CIS Client for Windows 


It includes the following: 


* Section 8.1.1, "Prerequisites," on page 62 

* Section 8.1.2, "Installing CIS Client," on page 62 

* Section 8.1.3, "Reinstalling or Uninstalling CIS Client," on page 62 
* Section 8.1.4, "Log Details," on page 63 


Prerequisites 


* The CIS client is built on Microsoft .NET Framework 4.5, so ensure to update your Windows 
version with the latest patches. 


* Ensure the --block-unmanaged-cis-reads option is set to 'yes' by using the novcifs 
command-line utility. 





NOTE: Only administrator can modify this option on the OES server. 





Installing CIS Client 


The steps to install the CIS client on a Windows workstation are as follows: 


1 Runthe “CISClient.msi” installer to launch the setup. 
2 Read the introduction, then click Next. 
3 Read and accept the end-user license agreement, then click Next. 
4 Onthe Features window page, click Next. 
The following features will be installed: 
* Use Overlay Icon 


Displays the overlay icon on the files that are uploaded to the cloud. The overlay icon helps 
to differentiate the local files and the files uploaded to the cloud. 


* Access Files Uploaded to Cloud 
Allows the user to access the files uploaded to the cloud. 
5 Click Install to begin the installation. 
In a few seconds, the client is successfully installed. 
6 Click Finish to exit the installer. 


A pop-up message is displayed to restart the workstation for the configuration changes made to 
CIS client to take effect. 


Reinstalling or Uninstalling CIS Client 


The steps to reinstall or uninstall the CIS client on a Windows workstation are as follows: 


1 Runthe "CISClient.msi" installer to launch the setup. 


2 Read the introduction, then click Next. 
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8.1,4 


8.2 


8.2.1 


3 Select the required action to perform: 
* Repair 


To install any missing components. The installation program detects the previously 
installed components and reinstalls them. 


* Remove 


To uninstall the CIS client. 





IMPORTANT: After uninstalling the CIS client, ensure to restart the Windows workstation. 
Otherwise, the workstation would still behave as a managed CIS client (can access files 


uploaded to the cloud). 





4 Follow the installation wizard to complete the setup. 


Log Details 


The CIS client log information is available at 
C:\Users\<username>\AppData\Local\OES\CISClient\logs\cisclient.log. To 
configure the log level, do the following: 








1 Inthe Start menu, in the Run box or the Search box, type regedit, and press Enter. 

2 Select HKEY_CURRENT_USER > Software > OES > CISClient > LogLevel. 

3 Right-click and select Modify. Specify the required value under 'Value data’ and click OK. 
Example: 


Value data = O (displays all logs) 


CIS Client for Mac 


It includes the following: 


* Section 8.2.1, "Prerequisite," on page 63 
* Section 8.2.2, "Installing CIS Client," on page 64 
* Section 8.2.3, "Log Details," on page 64 


* Section 8.2.4, "Limitation," on page 64 


Prerequisite 


Ensure the --block-unmanaged-cis-reads option is set to 'yes' by using the novcifs 
command line utility. 





NOTE: Only administrator can modify this option on the OES server. 
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8.2.2 


8.2.3 


8.2.4 


Installing CIS Client 


The steps to install the CIS client on a Mac workstation are as follows: 


1 
2 
3 
4 


Open the "CISClient.pkg" installer to launch the package. 
Read the introduction, then click Continue. 
Again, click Continue to read and agree with the end-user license agreement. 


Click Install. It prompts for administrator credentials, enter the password, and click Install 
Software to begin the installation. 


In a few seconds, the client is successfully installed. 
Click Close to exit the installer. 


On Mac 10.15 and later versions, a pop-up message is displayed to restart the workstation for 
the configuration changes made to CIS client to take effect. 


Log Details 


* 


* 


The CIS client log information is available under 'Devices' section in the /Applications/ 
Utilities/Console.app application. To send the logs to developer, run the following 
command in /Applications/Utilities/Console.app and share the 

system logs.logarchive file. 


To enable debug log, use the following command: 





sudo sysctl -w kern.com microfocus cismac-"debug-«value»" 


Example: 





sudo sysctl -w kern.com microfocus cismac-"debug-10" 


Limitation 


After uninstalling the CIS client, ensure to restart the Mac workstation. Otherwise, the workstation 
would still behave as a managed CIS client (can access files uploaded to the cloud), which leads to 
the unwanted download of files from the cloud. 
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9 Troubleshooting CIS 


9.1 


This section describes some issues you might experience with Cloud Integrated Storage and provides 
suggestion for resolving or avoiding them. 

* Section 9.1, "Upgrade Issue," on page 65 

* Section 9.2, "Unable to Configure Kafka Service During CIS Configuration," on page 66 

* Section 9.3, "CIS Agents Stops Randomly During the Data Migration," on page 67 


* Section 9.4, "Health Indicator on CIS Management Console Displays CIS Health as Not Healthy," 
on page 67 


* Section 9.5, "Infrastructure Services Fails to Come Up After Cleaning Up the Disk Space in HA 
Node," on page 67 


* Section 9.6, "/var/lib/docker/containers in Infrastructure Server Consumes More Disk Space," 
on page 68 


* Section 9.7, "Agent Is Not Being Listed During the Tier Creation," on page 68 

* Section 9.8, "CIS Management Console Fails to Display Summary Page," on page 68 

* Section 9.9, "Scanner Fails to Scan the New Volume," on page 68 

* Section 9.10, "Agent Fails to Display the Volumes During Tier Configuration," on page 68 


* Section 9.11, "Agents Unable to Communicate with CIS and CIS Management Console Does not 
Work," on page 69 


* Section 9.12, "CIS Services Fails to Come Up," on page 69 
* Section 9.13, "CIS Configuration Fails With an Error," on page 69 


* Section 9.14, "CIS Fails to Communicate with External Entities," on page 70 


Upgrade Issue 


After upgrading OES 2015 SP1 or older OES versions to OES 2018 SP1 or later, during tier creation in 
CIS management console, the server option fails to list the OES server and displays an error, 
"Certificate is not valid for any names, but tried to match with «host»". Because the eDirectory 
certificates in OES 2015 SP1 and older versions do not add DNS name in the Subject Alternative 
Name (SAN). 


Verify the Certificate 


To view the certificate details, run the following command: 





openssl x509 -in /etc/ssl/servercerts/servercert.pem  -noout -text 
The output: 


X509v3 Subject Alternative Name: 
IP Address:192.168.2.33, DNS:blr-2-33.example.com 
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9.2 


If the Subject Alternative Name (SAN) value does not display the IP Address and DNS entries, you 
must repair the eDirectory certificate. 


To repair the eDirectory certificates on the upgraded CIS server: 


1 
2 
3 
4 


Log in to ¡Manager as Admin. 
Go to Roles and Tasks > NetIQ Certificate Server > Repair Default Certificates. 
Select the server(s) that own the certificates and click Next. 
Choose the default certificate options and then click Next. 
4a Select Yes All Default Certificates will be overwritten. 


4b Select Create SSL CertificatelP and click the other option to specify the IP address you want 
to use. 


4c Under Default DNS Address, click the other option to specify the DNS address you want to 
use. 


Review the tasks to be performed and select Finish. 


Restart eDirectory service. 


7 Restart the following services: 


CIS Agent: systemctl restart oes-cis-agent.service 
Scanner: systemctl restart oes-cis-scanner.service 


Recall Agent: systemctl restart oes-cis-recall-agent.service 


For more information on repairing server certificates, see Micro Focus knowledge base article 
7013080. 


Unable to Configure Kafka Service During CIS 
Configuration 


CIS configuration fails with an error "Kafka configuration failed: ErrinternalError: ethO: error fetching 
interface information: Device not found" while configuring Kafka service. This is because the server 
has a network device with 'emO' as identifier instead of 'ethO'. 


To avoid this issue, perform the following: 


1 
2 


Login to the server as a root user. 
Run the following command: 


yast2 lan 


3 On Network Settings page under Overview tab, select a network device with emO and click Edit. 


On Network Card Setup page under Hardware tab, click Change and rename the Device Name to 
'ethO' from 'emO'. 


Click Next and then click OK. 
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9.4 


9.5 


CIS Agents Stops Randomly During the Data Migration 


When migrating the data to cloud, CIS agents stops randomly with an error "socket: too many open 
files". This is because the Max open files resource is set with the lower ‘soft limit' and ‘hard limit' 
values. In SLES 12, the default values of 'soft limit' and 'hard limit' for Max open files resource are 
1024 and 4096 respectively. 


To resolve this issue, increase the 'soft limit' and 'hard limit' values for Max open files resource: 


1 Login to the server as a root user. 
2 Obtain CIS agents process ID using the following command: 
pgrep cisagents 


3 ForMax open files resource, set the 'soft limit' and 'hard limit' values to 65535 using the 
following command: 


prlimit --pid «pid of cisagent obtained in step2» --nofile=65535:65535 





4 Verify the 'soft limit' and 'hard limit' values using the following command: 


cat /proc/<pid of cisagent obtained in step2>/limits | grep "open 
files" 


Health Indicator on CIS Management Console Displays 
CIS Health as Not Healthy 


After successfully configuring CIS in a cluster environment, the health indicator icon on CIS 
management console displays the CIS health status as not healthy. 


To resolve this issue, restart the CIS configuration service on OES server using the following 
command: 


systemctl restart oes-cis-configuration.service 


Infrastructure Services Fails to Come Up After Cleaning 
Up the Disk Space in HA Node 


After cleaning up all the container data on the infrastructure HA nodes where there was no free disk 
space available, the infrastructure services on that node still does not come up. This is because the 
docker services are not running. 


To resolve this issue, perform the following on all HA nodes where the issue occurs: 
1 Open a terminal console, then log in as a root user. 
2 Cleanup the old container data using the following command: 


docker system prune -a -f 


3 Onany HA node, execute the following command: 





sh /opt/novell/cis/bin/cis ext service.sh prepare 


For more information on this issue, see https://github.com/moby/moby/issues/31254. 
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/var/lib/docker/containers in Infrastructure Server 
Consumes More Disk Space 


The /var/lib/docker/containers path in Infrastructure server configured in high availability 
(HA) consumes more space which results in disk getting filled. For more information, see https:// 
github.com/docker/distribution/blob/master/ROADMAP.md#deletes. 


To avoid this issue, ensure to provide sufficient disk space while deploying the Infrastructure server 
in HA. 


Agent Is Not Being Listed During the Tier Creation 


In CIS Management Console, during the tier creation the Server parameter does not display the OES 
servers that are configured with CIS server. 


To resolve this issue, ensure that the agent is up and running. Also, if firewall is enabled, ensure that 
the agent port 8000 is open. 


CIS Management Console Fails to Display Summary 
Page 
When you login to CIS management console, the Insights page displays Welcome to Cloud Integrated 


Storage page instead of the Summary page where all the hot and cold data information should be 
displayed. This might be because the scanner has not scanned the volumes on the OES server. 


To resolve this issue, start the scanner on the OES server using the following command: 


systemctl start oes-cis-scanner.service 


Scanner Fails to Scan the New Volume 


When you add a new volume to the OES server, the Insights page under CIS management console 
does not display the statistic information of that volume. This might be because the scanner has not 
scanned the new volume added. 


To resolve this issue, restart the scanner on the OES server using the following command: 


systemctl start oes-cis-scanner.service 


Agent Fails to Display the Volumes During Tier 
Configuration 


During the tier configuration, agent does not display the list of volumes when you click on drop- 
down menu on the Volume parameter in the CIS management console. 


To resolve this issue, ensure that the /etc/resolv.conf is configured with the appropriate DNS 
entry so that the OES server and CIS server are mutually resolvable. 
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9.12 


9.13 


Agents Unable to Communicate with CIS and CIS 
Management Console Does not Work 


The CIS services are up and running, also the agent and CIS management console is working fine. 
Because of modification done on firewall settings on the CIS server, the agent fails to communicate 
with the CIS server and CIS management console URL does not work. 


To resolve this issue, restart the docker services using the following command: 


systemctl restart docker.service 


CIS Services Fails to Come Up 


When you execute docker ps command to verify the CIS server configuration, the command does 
not list any of the CIS services or lists only the collector and aggregator service. 


To resolve this issue, perform the following: 


* Ensure that the mariadb and elasticsearch service is up and running with the CIS service that is 
configured with. 


+ If firewall is running, ensure that the MariaDB port 3306 and Elasticsearch port 9400 is open. 


CIS Configuration Fails With an Error 


If CIS is the first server installed on the tree, the schema is not updated. Therefore, while configuring 
CIS an "Undefined Attribute Type" error is displayed. To resolve this issue, extend the eDirectory 
schema for the CIS server. 


To extend the eDirectory schema, perform the following: 
* If eDirectory and CIS is installed on the same server, run the following command: 


/opt/novell/eDirectory/bin/ndssch -h «IP address or hostname where 
eDirectory or CIS is running» 'cn-admin.o-novell' «file path of 
cis.sch» 


For example, 


/opt/novell/eDirectory/bin/ndssch -h 192.168.0.1 'cn-admin.o-novell' / 
opt/novell/cis/schema/cis.sch 


OR 
* If eDirectory and CIS is installed on different servers, perform the following: 
1. Copythe cis.sch file from /opt/novell/cis/schema to eDirectory server. 
2. Run the following command: 


/opt/novell/eDirectory/bin/ndssch -h «IP address or hostname where 
eDirectory is running» 'cn-admin.o-novell' «file path of cis.sch» 
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For example, 


/opt/novell/eDirectory/bin/ndssch -h 192.168.0.1 
'cn-admin.o-novell' /root/cis.sch 


9.14 CIS Fails to Communicate with External Entities 


All docker services are up and running and CIS is working fine. If firewall is stopped, the docker 
services are still up and running, but CIS management console fails to launch and communication 


with agent fails. 


To resolve this issue, either start the firewall or restart all CIS and infrastructure services on the 
server where firewall is stopped. 
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10.1 


10.2 


Best Practices and Common Questions 


This section contains recommendations about the following topics. 


* Section 10.1, “Backup and Restore Options for Cloud Backed Volumes (CBV),” on page 71 

* Section 10.2, "Client Recommendation," on page 71 

+ Section 10.3, “Recalling Files from the Cloud Storage to the Source NSS Volume,” on page 72 
* Section 10.4, "Log Level Settings," on page 73 

* Section 10.5, "Scanner Settings," on page 74 


* Section 10.6, "Using Distributed File Services (DFS) with Cloud Backed Volume," on page 74 


Backup and Restore Options for Cloud Backed Volumes 
(CBV) 


If OES Storage Management Service (SMS) or third-party backup software based on SMS is used to 
backup and restore, it takes care of backing up only the metadata information of the files that are 
migrated to cloud storage or object store without recalling the actual file data. If third-party backup 
software that supports the standard Linux Extended Attributes (xattr) is used, ensure that on CBV 
you backup only metadata for the cloud migrated files. However, if third-party backup software does 
not provide any option to backup only metadata for the cloud migrated files, then perform the 
following to disallow recall of migrated files from cloud storage: 


1 Open a terminal console, then log in as a root user. 





2 Add the RECALL OFFLINEMODE environment variable and set to TRUE in /usr/1lib/ 
systemd/system/oes-cis-recall-agent.service on all the agents. 

















For example, add the following in oes-cis-recall-agent.service. 





Environment-"RECALL OFFLINEMODE-TRUE" 




















3 To ensure system has read any changes, run the following command: 
systemctl daemon reload 
4 Restart the recall agent on all OES servers where backup and restore need to be done. 


systemctl restart oes-cis-recall-agent.service 


Client Recommendation 


For CIS agents to scale up during the data migration, it is recommended to increase the 'soft limit' 
and 'hard limit' values for Max open files resource. For more information, see Section 9.3, "CIS 
Agents Stops Randomly During the Data Migration," on page 67. 
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NSS Volume 


Recalling Files from the Cloud Storage to the Source 


You can control how files in the cloud storage are recalled automatically to the source NSS volume. 
When a file is migrated to cloud storage and replaced with a CBV file on the source NSS volume, the 
CBV file should look and behave like the original file. The size on the disk for the CBV file will be in 
KBs. File recall is the process by which the user clicks the CBV file and quickly accesses the original 
file available in the cloud storage. 


The CBV file contains the information required to find the original file. When a user attempts to read 
the CBV file, NSS sends a recall request to CIS, which then executes the recall and passes the file to 


the NSS. 


Use Cases for Recalling Files from the Cloud 


Table 10-1 describes use cases for recalling files based on the user access. 


Table 10-1 Recall Behaviors for Files in the Cloud 


When the file is modified 


When the file is accessed 
but not modified 


Source NSS Volume 


The file gets recalled from the cloud 
storage and will be available for the 
duration based on the value configured 
inthe MOVE ON MODIFY DURATION 
parameter. After that duration, the file 
retains in the NSS volume. 





The file gets recalled from the cloud 
storage and will be available for the 
duration based on the value configured 
inthe MOVE ON MODIFY DURATION 
parameter. After that duration, a new 
CBV file is created, and the recalled file 
gets deleted to free up space. 





Cloud Storage 


A copy of the file is available on the 
cloud for the duration based on the 
value configured in the 

MOVE ON MODIFY DURATION 
parameter. After that duration, the file 
copy gets deleted, and it is no longer 
available. 





A copy of the file is available on the 
cloud for the duration based on the 
value configured in the 

MOVE ON MODIFY DURATION 
parameter. After that duration, the file 
copy retains in the cloud. 





The recalled files are available on both the source NSS volume and cloud storage for a specific time 


duration based on the value configured in the MOV] 


this time duration, perform the following on the CIS server: 





1 Open a terminal console, then log in as a root user. 


E ON MODIFY DURATION parameter. To modify 


2 Gotothe /etc/opt/novell/cis/config file and configure the 
MOVE ON MODIFY DURATION parameter with the required time duration. The default value is 
3 days. The available range is 1 to 3 days. 





For example: 


MOVE ON MODIFY DURATION-1 


3 Restart the metadata service. 





Systemctl restart oes-cis-metadata.service 
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10.4.2 


10.4.3 


Log Level Settings 


It includes following sections: 


* Section 10.4.1, "CIS Server," on page 73 


* Section 10.4.2, "CIS Agents," on pag 


e 73 


* Section 10.4.3, "Infrastructure Services," on page 73 


CIS Server 


The CIS services log level is configured using CIS management console. For more information, see 


"General" on page 55. 


CIS Agents 


The CIS agents log level can be set at global configuration (all OES server agents) and individual OES 
server agents using CIS management console. For more information, see Section 6.1.7, "Agents," on 


page 52. 


Infrastructure Services 


The infrastructure services includes ZooKeeper, Elasticsearch, and Kafka services configured in high 
availability nodes. You must login to all the nodes and then configure the log level for each 


infrastructure services separately. 


1 Open a terminal console, then log in as a root user. 


2 Configure log level for the following 


infrastructure services: 


+ ZooKeeper: Go to /etc/opt/novell/cis/zk/log4j.properties and configure the 


required log level in rootLogg 


For example, to set Debug log | 


er.level parameter. 


evel for ZooKeeper, add the following in /etc/opt/ 


novell/cis/zk/1log4j.properties. 


zookeeper.root.logger-D 





CI 





EBUG, CONSOLI 


zookeeper.console.threshold=WARN 


¢ Elasticsearch: Go to /etc/opt 


/novell/cis/es/10g4j2.properties and configure 


the required log level in rootLogger. level parameter. 


For example, to set Debug log | 


evel for Elasticsearch, add the following in /etc/opt/ 


novell/cis/es/10g4j2.properties. 


rootLogger.level - debug 





+ Kafka: Go to /etc/opt/novell/cis/kafka/1log4j.properties and configure the 


required log level in 109453 . ro 


For example, to set Debug log | 


otLogger parameter. 


evel for Kafka, add the following in /etc/opt/novell/ 


cis/kafka/log4j.properties. 








log4j.rootLogger-DEBUG, 





The log levels supported are: Trace, 


stdout 


Debug, Info, Warn, and Error. The default value is Warn. 
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3 Restart docker services on all the infrastructure HA nodes using the following command: 


systemctl restart docker.service 


Scanner Settings 


After configuring the CIS server, the scanner agent associated to CIS server scans all the volumes. To 
rescan the OES server at a scheduled time, add the environment variable in oes-cis- 
scanner.service on all the OES server agents. Based on the value configured, the scanner scans 
the OES server to get the updated volumes information. The default value is 7 days. 


This settings are applicable to all OES servers that are configured before OES 2018 SP2. To configure 
the scanner settings on OES 2018 SP2 servers, see Section 6.1.7, “Agents,” on page 52. 


To set the configuration to scan OES server volumes, perform the following: 


1 Configure the SCAN INTERVAL DAYS environment variable in /usr/lib/systemd/system/ 
oes-cis-scanner.service on allthe agents. 





For example, add the following in oes-cis-scanner.service. 








Environment-"SCAN INTERVAL DAYS-2" 

2 To ensure system has read any changes, run the following command: 
systemctl daemon-reload 

3 Restart the scanner agent. 


Systemctl restart oes-cis-scanner.service 


Using Distributed File Services (DFS) with Cloud Backed 
Volume 


Distributed File Services (DFS) is installed automatically as part of the NSS file system. Cloud 
Integrated Storage supports using DFS junctions on the primary NSS volume. The primary volume 
can also be the target of a junction. Primary NSS volumes that contain DFS junctions or are junction 
targets can reside in a OES Cluster Services cluster. 


DST does not support using DFS junctions on the CBV. The CBV cannot be the junction target. 


Table 10-2 on page 75 summarizes the supported CIS configurations for use with DFS: 
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Table 10-2 CIS support for DFS Features 


DFS Features Primary NSS Cloud Backed 
Volume Volume 

Junctions Yes No 

Junction targets Yes No 

Move/split No No 

volumes 


Cluster 


Yes 


Yes 


No 


File Access Protocol 


NCP 


Novell CIFS. DFS support must be 
enabled in CIFS. See DFS Junction 
Support in CIFS Linux in the OES 2018 
SP2: OES CIFS for Linux Administration 
Guide. 


Linux Samba does not support DFS 
junctions for NSS volumes. 


Not applicable 


Not applicable 
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Limitations for CIS 


This section lists the known issues in Cloud Integrated Storage. 


* CIS works with only the default NSS mount volume path. The support for different NSS volume 
mount path would be provided in the upcoming release. 


* If MS SQL server is configured with a time zone different from the CIS server, then the migration 
time stamp on CIS Dashboard page is in sync with MS SQL server. 
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Configuration and Log Files 


This section provides information on all CIS and infrastructure components configuration and log 


files location. 


Table A-1 CIS Configuration Files 


Path 

/etc/opt/novell/cis/config 
/etc/opt/novell/cis/fluentbit/config 
/etc/opt/novell/cis/fluentbit/fluentd.conf 


/etc/opt/novell/cis/certs/rootCAs 


Table A-2 CIS Log Files 


Path 


/var/log/messages 
/var/opt/novell/log/cis/microservices 
/var/opt/novell/log/cisagent/agent.log 
/var/opt/novell/log/cisagent/recallagent.log 
/var/opt/novell/log/cisagent/cisscanner.log 
/var/log/mysql/mysqld.log 


/var/log/elasticsearch/elasticsearch.log 


Description 


CIS server configuration 
CIS server log configuration 
Fluent Bit configuration for CIS server 


If secure communication is used with the target cloud 
or object store, copy the CA bundle in PEM format to 
this location. 


Description 

CIS server logs 

Common log location of all the CIS services 
Contains log messages of OES server agent 
Contains log messages of OES server recall agent 
Contains log messages of OES server scanner 
MariaDB server logs 


Elasticsearch logs 
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B.1 


B.2 


Installing and Configuring MariaDB 


This section describes how to install and configure the MariaDB database to use with CIS. 


* Section B.1, "Installing MariaDB," on page 81 
* Section B.2, "Configuring MariaDB," on page 81 


Installing MariaDB 


1 Ensure you have access to your operating system installation media. 
2 In YaST, click Software > Software Management. 
3 In the Search field, type mariadb, then click Search. 
4 Select mariadb, then click Accept. 
The MariaDB is successfully installed. 
5 Continue with Section B.2, "Configuring MariaDB," on page 81. 


Configuring MariaDB 


When MariaDB is initially installed, it is not configured with an administrator password, nor is it 
configured to start automatically. To set up the MariaDB database server for use with CIS, perform 


the following: 


1 In a terminal window, become the root user. 

2 To start the database server, run the following command: 
systemctl restart mysql.service 

3 To enable the database server, run the following command: 
systemctl enable mysql.service 


4 To verify the database server has started, run the following command: 














systemctl status mysql.service 


5 To set the root password and enable root access from remote machines, run the following 


command: 
mysql secure installation 


5a It prompts for current password for root user, press 'Enter' to continue. 


5b It promptsto Set root password?,enter 'y' to continue and then enter password. 


The password is updated successfully. 


5c It prompts to Remove anonymous users?, press 'Enter' to continue with the default 


configuration. 


5d It prompts to Disallow root login remotely?, enter 'n' to continue. 
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5e It prompts to Remove test database and access to it?, press 'Enter' to continue 
with the default configuration. 


5f It promptsto Reload privilege tables now?,enter 'y' to continue. 
6 Login to MariaDB. 
mysql -u root -p 
It prompts for password. 


7 To grant permissions for the superuser account, run the following commands: 














> GRANT ALL PRIVILEGES ON *.* TO '<username>'@'%S' IDENTIFIED BY 
'<password>'; 

















> FLUSH PRIVILEGES; 








For example: 


























GRANT ALL PRIVILEGES ON *.* TO 'root'@'%S' IDENTIFIED BY 'password'; 


8 Toenable the firewall, run the following command: 





yast2 firewall 
The Firewall Configuration: Start-Up window is displayed. 
9 In the left menu, click Allowed Services and then click Advanced option. 
The Additional Allowed Ports window is displayed. 
10 Add 3306 port under the TCP Ports and then click OK. 
11 Click Next and Finish. 
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C.1 


Creating Certificates 


This section provides information on certificate creation for CIS and other CIS dependent 
components. 


* Section C.1, "Creating Certificates for CIS," on page 83 


Creating Certificates for CIS 


This section describes about how to create a sample Server Certificate, Server Key and CA Certificate 
files. 


1 Create a temp folder. 
2 Generate CSR (Certificate Signing Request) file. 


The sample csr. detail file.txt file is as follows: 


[req] 

default bits = 2048 
prompt = no 

default md - shal 

req extensions - req ext 
distinguished name - dn 


[ dn ] 
O- «Organization Name» 
CN= «Hostname or DNS Name» 


[ req ext ] 
subjectAltName = QGalt names 


[ alt names ] 
DNS.1 = oes doc.labs.wdc.acme.com 
IP = 192.168.0.1 








The attribute details is as follows: 
+ CN: Host name of a OES server where CIS server is installed. 
* DNS.«value»: DNS name of a OES server where CIS server is installed. 


If DNS name is provided for Gateway Server Address during CIS configuration, ensure that 
the same DNS name is configured. For more information, see "Configure CIS as a 
Standalone Server" on page 23. 


+ IP: IP address of the OES server where CIS is configured. 
In case of Novell Cluster Services (NCS), the CN, DNS and IP should be configured as follows: 
+ CN: Host name of a gateway cluster resource. 


* DNS.«value»: DNS name of a gateway cluster resource. 
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If DNS name is provided for Gateway Server Address during CIS configuration, ensure that 
the same DNS name is configured. For more information, see “Configure CIS Services” on 
page 28. 


+ IP: IP address of the cluster gateway resource IP. 
3 Create the .csr file using the following command: 


openssl req -new -sha256 -nodes -out csrfilename.csr -newkey rsa:2048 - 
keyout serverkey.pem -config «csr detail file name» 


4 Generate the public certificate using the .csr file and eDirectory. 
4a Goto iManager » Netiq Certificate Server » Issue Certificate. 
4b Click Choose File to select the .csr file and click Next. 


4c Select Key type as SSL or TLS and Extended key usage as Server authentication 
and User authentication, then click Next. 














4d Select Certificate Type as End Entity and follow the wizard to continue. 
4e Click Download the issued certificate link. 

5 Copy the generated server certificate to the temp folder. 

6 Convert the generated certificate from .der to .pem format. 


openssl x509 -inform der -in <.der file name» -out <servercert.pem> 
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